Fix seg fault in dtls1_new

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-03 16:11:49 +00:00 · 2015-02-03 16:11:49 +00:00 · 5fb6f80cdf
commit 5fb6f80cdf
parent cb2ce7abfd
3 changed files with 11 additions and 8 deletions
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@ -124,6 +124,10 @@ int dtls1_new(SSL *s)
 {
    DTLS1_STATE *d1;

+    if(!DTLS_RECORD_LAYER_new(&s->rlayer)) {
+        return 0;
+    }
+    
    if (!ssl3_new(s))
        return (0);
    if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL) {
@ -132,12 +136,6 @@ int dtls1_new(SSL *s)
    }
    memset(d1, 0, sizeof *d1);

-    if(!DTLS_RECORD_LAYER_new(&s->rlayer)) {
-        OPENSSL_free(d1);
-        ssl3_free(s);
-        return 0;
-    }
-
    d1->buffered_messages = pqueue_new();
    d1->sent_messages = pqueue_new();
    d1->buffered_app_data.q = pqueue_new();
--- a/ssl/record/d1_pkt.c
+++ b/ssl/record/d1_pkt.c
@ -133,7 +133,6 @@ int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)


    rl->d = d;
-    DTLS_RECORD_LAYER_clear(rl);

    d->unprocessed_rcds.q = pqueue_new();
    d->processed_rcds.q = pqueue_new();
--- a/ssl/record/s3_pkt.c
+++ b/ssl/record/s3_pkt.c
@ -145,8 +145,10 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl)
    size_t rlen, wlen;
    int read_ahead;
    SSL *s;
+    DTLS_RECORD_LAYER *d;

    s = rl->s;
+    d = rl->d;
    read_ahead = rl->read_ahead;
    rp = SSL3_BUFFER_get_buf(&rl->rbuf);
    rlen = SSL3_BUFFER_get_len(&rl->rbuf);
@ -165,6 +167,10 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl)
    rl->read_ahead = read_ahead;
    rl->rstate = SSL_ST_READ_HEADER;
    rl->s = s;
+    rl->d = d;
+    
+    if(d)
+        DTLS_RECORD_LAYER_clear(rl);
 }

 void RECORD_LAYER_release(RECORD_LAYER *rl)