In dtsl1_cler_queues() , the data field of the item in
s->d1->buffered_app_data.q is incorrectly treated as hm_fragment *, it should
be DTLS1_RECORD_DATA *
--
qun-ying
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 2287ba6..7d9d91f 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -202,9 +202,12 @@ static void dtls1_clear_queues(SSL *s)
while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
{
- frag = (hm_fragment *)item->data;
- OPENSSL_free(frag->fragment);
- OPENSSL_free(frag);
+ rdata = (DTLS1_RECORD_DATA *) item->data;
+ if (rdata->rbuf.buf)
+ {
+ OPENSSL_free(rdata->rbuf.buf);
+ }
+ OPENSSL_free(item->data);
pitem_free(item);
}
}
