From 6824865c105925977e5a7dcb80a345219a565ecb Mon Sep 17 00:00:00 2001
From: Changli Gao <xiaosuo@gmail.com>
Date: Mon, 12 Jun 2017 21:57:26 +0800
Subject: [PATCH] DTLS: Fix potential double BIO_free

We should set init to 1 after calling SSL_set_bio(), otherwise if
we fail to call EC_KEY_new_by_curve_name(), we will free r_bio and
w_bio twice: one with BIO_free(), and the other with SSL_free().
---
 daemon/dtls.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/daemon/dtls.c b/daemon/dtls.c
index 6c1e3fb7d..9943901e7 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -524,6 +524,7 @@ int dtls_connection_init(struct packet_stream *ps, int active, struct dtls_cert
 
 	SSL_set_app_data(d->ssl, ps->selected_sfd); /* XXX obj reference here? */
 	SSL_set_bio(d->ssl, d->r_bio, d->w_bio);
+	d->init = 1;
 	SSL_set_mode(d->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 
 	EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -533,7 +534,6 @@ int dtls_connection_init(struct packet_stream *ps, int active, struct dtls_cert
 	SSL_set_tmp_ecdh(d->ssl, ecdh);
 	EC_KEY_free(ecdh);
 
-	d->init = 1;
 	d->active = active ? -1 : 0;
 
 done:
@@ -541,10 +541,12 @@ done:
 
 error:
 	err = ERR_peek_last_error();
-	if (d->r_bio)
-		BIO_free(d->r_bio);
-	if (d->w_bio)
-		BIO_free(d->w_bio);
+	if (!d->init) {
+		if (d->r_bio)
+			BIO_free(d->r_bio);
+		if (d->w_bio)
+			BIO_free(d->w_bio);
+	}
 	if (d->ssl)
 		SSL_free(d->ssl);
 	if (d->ssl_ctx)