Hi Bug Folks!
I think I found one in ssl23_connect() in ssl23_clnt.c. I'm not sure if this is
the problem I've been trying to fix or not but it is potentially dangerous. Here's
the code:
...
if ((buf=BUF_MEM_new()) == NULL)
{
ret= -1;
goto end;
}
if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
{
ret= -1;
goto end;
}
...
The stack pointer "buf" never gets freed if "BUF_MEM_grow()" fails.
The same coding error exists in s2_clnt.c ssl2_connect() and in
s3_clnt.c ssl3_connect().
Please let me know if there's anything I can do for you,
Mark P. Peterson - Vice President
http://www.RhinoSoft.com
Voice: +1(262) 560-9627
FAX: +1(262) 560-9628
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
