The attached patch against 1.0.0 fixes a potential doublefree and reuse
of freed handshake_buffer when SSL_clear() is called.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--- s3_lib.c.hbuf-clear 2009-05-28 20:10:47.000000000 +0200
+++ s3_lib.c 2009-10-16 09:50:24.000000000 +0200
@@ -2211,6 +2211,7 @@ void ssl3_clear(SSL *s)
wlen = s->s3->wbuf.len;
if (s->s3->handshake_buffer) {
BIO_free(s->s3->handshake_buffer);
+ s->s3->handshake_buffer = NULL;
}
if (s->s3->handshake_dgst) {
ssl3_free_digest_list(s);
