The attached patch against 1.0.0 fixes a potential doublefree and reuse of freed handshake_buffer when SSL_clear() is called. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb
--- s3_lib.c.hbuf-clear 2009-05-28 20:10:47.000000000 +0200 +++ s3_lib.c 2009-10-16 09:50:24.000000000 +0200 @@ -2211,6 +2211,7 @@ void ssl3_clear(SSL *s) wlen = s->s3->wbuf.len; if (s->s3->handshake_buffer) { BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; } if (s->s3->handshake_dgst) { ssl3_free_digest_list(s);