PR: 2314

author Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:27:19 +0000 (12:27 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:27:19 +0000 (12:27 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:27:19 +0000 (12:27 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:27:19 +0000 (12:27 +0000)
diff --git a/CHANGES b/CHANGES

index 4d7834360121cba7b3ae9511a4b592c17240ad4f..ae47318517227310f93848a3708de9e465e0ffb6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -893,6 +893,9 @@
    
   Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
  
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
    *) Don't reencode certificate when calculating signature: cache and use
       the original encoding instead. This makes signature verification of
       some broken encodings work correctly.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index 99b2f492842c72bf22c5b1ed4920867f93ea4adc..8b74e9f53e9afd76eadbb745f6f56d724ebba41b 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1509,6 +1509,7 @@ int ssl3_get_key_exchange(SSL *s)
                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
                 ecdh=NULL;
                 BN_CTX_free(bn_ctx);
+               bn_ctx = NULL;
                 EC_POINT_free(srvr_ecpoint);
                 srvr_ecpoint = NULL;
                 }
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:27:19 +0000 (12:27 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:27:19 +0000 (12:27 +0000)
CHANGES		patch \| blob \| history
ssl/s3_clnt.c		patch \| blob \| history