Hello, Our UC-KLEE tool found a use-after-free bug in dtls1_buffer_record (ssl/d1_pkt.c) affecting OpenSSL 1.0.1 (and probably other branches).
If the call to ssl3_setup_buffers() (line 255 in the 1.0.1 HEAD) fails, the new item is freed, causing a dangling pointer to remain in the record queue. This pointer is then dereferenced in pqueue_pop(), called by dtls1_read_bytes() (line 812). Attached is a suggested patch, which delays the queue insertion until after the ssl3_setup_buffers() call. This seems easier than looking through the priority queue to find and remove the item we just inserted. Thanks, -David
dtls1_buffer_record-use-after-free.patch
Description: Binary data