diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c

--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak	2015-01-13 11:44:12.410022377 +0100

+++ openssl-1.0.1e/ssl/d1_pkt.c	2015-01-13 11:50:40.062789458 +0100

@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu

 	/* Limit the size of the queue to prevent DOS attacks */

 	if (pqueue_size(queue->q) >= 100)

 		return 0;

-		

+

 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));

 	item = pitem_new(priority, rdata);

 	if (rdata == NULL || item == NULL)

@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu

 	}

 #endif

-	/* insert should not fail, since duplicates are dropped */

-	if (pqueue_insert(queue->q, item) == NULL)

-		{

-		OPENSSL_free(rdata);

-		pitem_free(item);

-		return(0);

-		}

-

 	s->packet = NULL;

 	s->packet_length = 0;

 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));

@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu

 	if (!ssl3_setup_buffers(s))

 		{

 		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);

+		if (rdata->rbuf.buf != NULL)

+			OPENSSL_free(rdata->rbuf.buf);

 		OPENSSL_free(rdata);

 		pitem_free(item);

-		return(0);

+		return(-1);

 		}

-	

+

+	/* insert should not fail, since duplicates are dropped */

+	if (pqueue_insert(queue->q, item) == NULL)

+		{

+		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);

+		if (rdata->rbuf.buf != NULL)

+			OPENSSL_free(rdata->rbuf.buf);

+		OPENSSL_free(rdata);

+		pitem_free(item);

+		return(-1);

+		}

+

 	return(1);

 	}

@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s)

             dtls1_get_unprocessed_record(s);

             if ( ! dtls1_process_record(s))

                 return(0);

-            dtls1_buffer_record(s, &(s->d1->processed_rcds), 

-                s->s3->rrec.seq_num);

+            if(dtls1_buffer_record(s, &(s->d1->processed_rcds),

+                s->s3->rrec.seq_num)<0)

+                return -1;

             }

         }

@@ -529,7 +535,6 @@ printf("\n");

 	/* we have pulled in a full packet so zero things */

 	s->packet_length=0;

-	dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */

 	return(1);

 f_err:

@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s)

 	/* The epoch may have changed.  If so, process all the

 	 * pending records.  This is a non-blocking operation. */

-	dtls1_process_buffered_records(s);

+	if(dtls1_process_buffered_records(s)<0)

+		return -1;

 	/* if we're renegotiating, then there may be buffered records */

 	if (dtls1_get_processed_record(s))

@@ -699,7 +705,9 @@ again:

 		{

 		if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)

 			{

-			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);

+			if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)

+				return -1;

+			dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */

 			}

 		rr->length = 0;

 		s->packet_length = 0;

@@ -712,6 +720,7 @@ again:

 		s->packet_length = 0;  /* dump this record */

 		goto again;   /* get another record */

 		}

+	dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */

 	return(1);

@@ -863,7 +872,11 @@ start:

 		 * buffer the application data for later processing rather

 		 * than dropping the connection.

 		 */

-		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);

+		if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0)

+			{

+			SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);

+			return -1;

+			}

 		rr->length = 0;

 		goto start;

 		}