PR: 2314

Submitted by: Mounir IDRASSI <mounir.idrassi@idrix.net> Reviewed by: steve Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
author: Dr. Stephen Henson <steve@openssl.org> 2010-10-10 12:27:19 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-10-10 12:27:19 +0000
commit: 3fa29765fd654361f9070502139c31c40595ef7b (patch)
tree: d7f7ff2e6fc2bb64307f6498a67c371904308174
parent: b9e468c163b5a3f902b5cef5c923b369b2ae4fed (diff)
download: openssl-3fa29765fd654361f9070502139c31c40595ef7b.tar.gz
2 files changed, 4 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 4d78343601..ae47318517 100644
--- a/CHANGES
+++ b/CHANGES
@@ -893,6 +893,9 @@
   
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
   *) Don't reencode certificate when calculating signature: cache and use
      the original encoding instead. This makes signature verification of
      some broken encodings work correctly.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 99b2f49284..8b74e9f53e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1509,6 +1509,7 @@ int ssl3_get_key_exchange(SSL *s)
 		s->session->sess_cert->peer_ecdh_tmp=ecdh;
 		ecdh=NULL;
 		BN_CTX_free(bn_ctx);
+		bn_ctx = NULL;
 		EC_POINT_free(srvr_ecpoint);
 		srvr_ecpoint = NULL;
 		}
author	Dr. Stephen Henson <steve@openssl.org>	2010-10-10 12:27:19 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-10-10 12:27:19 +0000
commit	3fa29765fd654361f9070502139c31c40595ef7b (patch)
tree	d7f7ff2e6fc2bb64307f6498a67c371904308174
parent	b9e468c163b5a3f902b5cef5c923b369b2ae4fed (diff)
download	openssl-3fa29765fd654361f9070502139c31c40595ef7b.tar.gz