Merge branch 'OpenSSL_1_0_2-stable' of https://github.com/openssl/openssl into OpenSSL_1_0_2-stableOpenSSL_1_0_2-stable

* 'OpenSSL_1_0_2-stable' of https://github.com/openssl/openssl: (57 commits)
  SRP_create_verifier does not check for NULL before OPENSSL_cleanse
  Improve the definition of STITCHED_CALL in e_rc4_hmac_md5.c
  Fix a few leaks in X509_REQ_to_X509. Fix a possible leak on NETSCAPE_SPKI_verify failure.
  Add basic test for Cisco DTLS1_BAD_VER and record replay handling
  Fix ubsan 'left shift of negative value -1' error in satsub64be()
  Fix SSL_export_keying_material() for DTLS1_BAD_VER
  Fix the no-tls1 option
  ec/asm/ecp_nistz256-x86_64.pl: /cmovb/cmovc/ as nasm doesn't recognize cmovb.
  ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity.
  ec/asm/ecp_nistz256-x86_64.pl: addition to perform stricter reduction.
  Always use session_ctx when removing a session
  Avoid overflow in MDC2_Update()
  SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM
  Fix no-ec
  Sanity check ticket length.
  mk1mf: dtlstest needs ssltestlib, include it with a hack
  Don't check for malloc failure twice.
  Fix overflow check in BN_bn2dec()
  RT2676: Reject RSA eponent if even or 1
  VMS: Use strict refdef extern model when building library object files
  ...

1 files changed, 19 insertions, 17 deletions

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index b5900dea8f..46c70d8ad5 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -618,11 +618,23 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
     int al;
 
     *ok = 0;
-    item = pqueue_peek(s->d1->buffered_messages);
-    if (item == NULL)
-        return 0;
+    do {
+        item = pqueue_peek(s->d1->buffered_messages);
+        if (item == NULL)
+            return 0;
+
+        frag = (hm_fragment *)item->data;
+
+        if (frag->msg_header.seq < s->d1->handshake_read_seq) {
+            /* This is a stale message that has been buffered so clear it */
+            pqueue_pop(s->d1->buffered_messages);
+            dtls1_hm_fragment_free(frag);
+            pitem_free(item);
+            item = NULL;
+            frag = NULL;
+        }
+    } while (item == NULL);
 
-    frag = (hm_fragment *)item->data;
 
     /* Don't return if reassembly still in progress */
     if (frag->reassembly != NULL)
@@ -1211,7 +1223,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
     unsigned long header_length;
     unsigned char seq64be[8];
     struct dtls1_retransmit_state saved_state;
-    unsigned char save_write_sequence[8];
+    unsigned char save_write_sequence[8] = {0, 0, 0, 0, 0, 0, 0, 0};
 
     /*-
       OPENSSL_assert(s->init_num == 0);
@@ -1296,18 +1308,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
     return ret;
 }
 
-/* call this function when the buffered messages are no longer needed */
-void dtls1_clear_record_buffer(SSL *s)
-{
-    pitem *item;
-
-    for (item = pqueue_pop(s->d1->sent_messages);
-         item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
-        dtls1_hm_fragment_free((hm_fragment *)item->data);
-        pitem_free(item);
-    }
-}
-
 unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
                                         unsigned char mt, unsigned long len,
                                         unsigned long frag_off,
@@ -1546,6 +1546,8 @@ int dtls1_heartbeat(SSL *s)
      *  - Padding
      */
     buf = OPENSSL_malloc(1 + 2 + payload + padding);
+    if (buf == NULL)
+        goto err;
     p = buf;
     /* Message Type */
     *p++ = TLS1_HB_REQUEST;