From: Matt Caswell <matt@openssl.org>
Date: Tue, 15 Aug 2023 14:33:34 +0000 (+0100)
Subject: Don't free the prev BIO prematurely
X-Git-Tag: openssl-3.2.0-alpha1~201
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92e3f43aec553145b4d4cbb4dbd3df9658a05bb4;p=thirdparty%2Fopenssl.git

Don't free the prev BIO prematurely

We shouldn't free the prev BIO in ssl_set_new_record_layer until it is
no longer referenced by s->rlayer.rrlnext.

Found by the reproducible error patch in #21668

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21741)
---

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 2f5a6114707..16726019f9d 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1325,7 +1325,6 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
                 next = BIO_new(BIO_s_mem());
 
             if (next == NULL) {
-                BIO_free(prev);
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                 return 0;
             }