Move free from cbb_init() to only CBB_init(). CBB_init_fixed() should not call free because it can lead to use after free or double free bugs. The caller should be responsible for creating and destroying the buffer. In the current code, ssl3_get_v2_client_hello() may free s->init_buf->data via CBB_init_fixed(). It can also be freed via SSL_free(s) since ssl3_get_v2_client_hello() doesn't set it to NULL and CBB_init_fixed() can't set the caller's pointer to NULL. Change-Id: Ia05a67ae25af7eb4fb04f08f20d50d912b41e38b

commit: a84f06fc1eee6ea25ce040675fbad72c532afece [log] [tgz]
author: Doug Hogan <doug@acyclic.org> Sun Feb 01 19:46:09 2015 -0800
committer: Adam Langley <agl@google.com> Mon Feb 02 17:01:32 2015 -0800
tree: d7876c0fd5b90532588b99ff1cfd518562513541
parent: d660b57208e433d7d64973d52c3ea06a77ec4b57 [diff]
diff --git a/crypto/bytestring/cbb.c b/crypto/bytestring/cbb.c
index 4428836..7dc6342 100644
--- a/crypto/bytestring/cbb.c
+++ b/crypto/bytestring/cbb.c

@@ -25,7 +25,6 @@
 
   base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
   if (base == NULL) {
-    OPENSSL_free(buf);
     return 0;
   }
 
@@ -48,7 +47,12 @@
     return 0;
   }
 
-  return cbb_init(cbb, buf, initial_capacity);
+  if (!cbb_init(cbb, buf, initial_capacity)) {
+    OPENSSL_free(buf);
+    return 0;
+  }
+
+  return 1;
 }
 
 int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {
commit	a84f06fc1eee6ea25ce040675fbad72c532afece	[log] [tgz]
author	Doug Hogan <doug@acyclic.org>	Sun Feb 01 19:46:09 2015 -0800
committer	Adam Langley <agl@google.com>	Mon Feb 02 17:01:32 2015 -0800
tree	d7876c0fd5b90532588b99ff1cfd518562513541
parent	d660b57208e433d7d64973d52c3ea06a77ec4b57 [diff]