Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug.

PR#3362 (Imported from upstream's 8de85b00484e7e4ca6f0b6e174fb1dc97db91281)
author: Adam Langley <agl@chromium.org> 2014-06-20 23:00:00 +0400
committer: Adam Langley <agl@chromium.org> 2014-06-21 00:17:41 +0400
commit: 3a54f9e01592df7ef3ffd845b26178d3c640f5de (patch)
tree: 465cf63639d808d54ae09e1d242248d195ed01df /ssl/d1_pkt.c
parent: a09d2127eaeaab15d520c7e5dd964b72dba9597f (diff)
1 files changed, 9 insertions, 9 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index a3bc1e6e..f0837796 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -231,14 +231,6 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 
 	item->data = rdata;
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL)
-		{
-		OPENSSL_free(rdata);
-		pitem_free(item);
-		return(0);
-		}
-
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -251,7 +243,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 		pitem_free(item);
 		return(0);
 		}
-	
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
+
 	return(1);
 	}
author	Adam Langley <agl@chromium.org>	2014-06-20 23:00:00 +0400
committer	Adam Langley <agl@chromium.org>	2014-06-21 00:17:41 +0400
commit	3a54f9e01592df7ef3ffd845b26178d3c640f5de (patch)
tree	465cf63639d808d54ae09e1d242248d195ed01df /ssl/d1_pkt.c
parent	a09d2127eaeaab15d520c7e5dd964b72dba9597f (diff)