From efc84eacb7a500306c7cb55e4e2d707dfd9d1ac1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 27 Jul 2022 14:52:13 +0100
Subject: [PATCH] Ensure the rrl object is set to NULL after it is freed

Once we free the rrl object we should NULL it to prevent a dangling ref
to it. Otherwise we could get a double free.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)
---
 ssl/record/rec_layer_s3.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 807cc43c15d..c187141ee98 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1774,6 +1774,7 @@ int ssl_set_new_record_layer(SSL_CONNECTION *s, int version,
         return 0;
     }
 
+    s->rlayer.rrl = NULL;
     if (meth != NULL)
         s->rlayer.rrlmethod = meth;
 
-- 
2.47.3