diff -up openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth openssl-1.0.1e/ssl/t1_lib.c
--- openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth	2016-09-20 18:09:26.000000000 +0200
+++ openssl-1.0.1e/ssl/t1_lib.c	2016-09-22 10:57:23.195580623 +0200
@@ -1239,6 +1239,27 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 					*al = SSL_AD_DECODE_ERROR;
 					return 0;
 					}
+
+				/*
+				 * We remove any OCSP_RESPIDs from a previous handshake
+				 * to prevent unbounded memory growth - CVE-2016-6304
+				 */
+				sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
+							OCSP_RESPID_free);
+				if (dsize > 0)
+					{
+					s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
+					if (s->tlsext_ocsp_ids == NULL)
+						{
+						*al = SSL_AD_INTERNAL_ERROR;
+						return 0;
+						}
+					}
+				 else
+					{
+					s->tlsext_ocsp_ids = NULL;
+					}
+
 				while (dsize > 0)
 					{
 					OCSP_RESPID *id;
@@ -1271,14 +1292,6 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 						*al = SSL_AD_DECODE_ERROR;
 						return 0;
 						}
-					if (!s->tlsext_ocsp_ids
-						&& !(s->tlsext_ocsp_ids =
-						sk_OCSP_RESPID_new_null()))
-						{
-						OCSP_RESPID_free(id);
-						*al = SSL_AD_INTERNAL_ERROR;
-						return 0;
-						}
 					if (!sk_OCSP_RESPID_push(
 							s->tlsext_ocsp_ids, id))
 						{