PR: 2314

author Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:21:23 +0000 (12:21 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:21:23 +0000 (12:21 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:21:23 +0000 (12:21 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:21:23 +0000 (12:21 +0000)
diff --git a/CHANGES b/CHANGES

index a083afc6e29820a4f6c30f74f6372c5020eabce4..23f145ca36d297e306df79154e7b012fafc75b7d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
  
   Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
  
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
    *) Don't reencode certificate when calculating signature: cache and use
       the original encoding instead. This makes signature verification of
       some broken encodings work correctly.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index b0d49d8cd37567cb88feb1ee5642286e21941a77..f0995b96acea28bf7e40f6e23b983d7877bc9189 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1376,6 +1376,7 @@ int ssl3_get_key_exchange(SSL *s)
                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
                 ecdh=NULL;
                 BN_CTX_free(bn_ctx);
+               bn_ctx = NULL;
                 EC_POINT_free(srvr_ecpoint);
                 srvr_ecpoint = NULL;
                 }
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:21:23 +0000 (12:21 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:21:23 +0000 (12:21 +0000)
CHANGES		patch \| blob \| blame \| history
ssl/s3_clnt.c		patch \| blob \| blame \| history