LibreSSL DTLS double free

[GoogleCodeExporter]

Dear LibreSSL developers,

we identified a security issues in LibreSSL 2.1.1.

Please confirm at your earliest convenience that you have received this 
vulnerability report. We will gladly work with you so you can successfully 
confirm and reproduce this issue.

Also note that this bug is subject to a 90 day disclosure deadline. If 90 days 
elapse without a broadly available patch, then the bug report will 
automatically become visible to the public.

We’ll be tracking this on:
[this URL]

Details:

For DTLS handshakes, in d1_srtp.c in function 
ssl_parse_clienthello_use_srtp_ext a stack is allocated (clnt) on line 333.

297 →       STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0, *srvr;
333 →       clnt = sk_SRTP_PROTECTION_PROFILE_new_null();

$2 = (struct stack_st_SRTP_PROTECTION_PROFILE *) 0x7b6220

If the branch on line 352 (mki_len != len) is taken, the clnt is freed on line 
356 and a subsequent goto goes to done.

After the first free, clnt is non NULL
$3 = (struct stack_st_SRTP_PROTECTION_PROFILE *) 0x7b6220

Then, under done a second free occurs, triggering the double free condition.

385 done:
386 →       if (clnt)
387 →       →       sk_SRTP_PROTECTION_PROFILE_free(clnt);

Another use of 'goto done' is not freeing the clnt. The removal of the first 
free on line 356 should fix the issue.

Don’t hesitate to let us know if you have any questions!

Cheers
Felix

Original issue reported on code.google.com by groeb...@google.com on 26 Nov 2014 at 12:29

[GoogleCodeExporter]

https://github.com/robertbachmann/openbsd-libssl/commit/62a110d447bb8c16a4c69629
e28a42e8c39fd7e0

Original comment by groeb...@google.com on 12 Dec 2014 at 8:52

[GoogleCodeExporter]

Fixed in LibreSSL 2.1.2

Original comment by groeb...@google.com on 12 Dec 2014 at 8:54

[GoogleCodeExporter]

Original comment by groeb...@google.com on 12 Dec 2014 at 9:07

• Changed state: Fixed
• Added labels: Fixed-2014-Dec-08
• Removed labels: Restrict-View-Commit