diff -up openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth openssl-1.0.1e/ssl/t1_lib.c --- openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth 2016-09-20 18:09:26.000000000 +0200 +++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-22 10:57:23.195580623 +0200 @@ -1239,6 +1239,27 @@ int ssl_parse_clienthello_tlsext(SSL *s, *al = SSL_AD_DECODE_ERROR; return 0; } + + /* + * We remove any OCSP_RESPIDs from a previous handshake + * to prevent unbounded memory growth - CVE-2016-6304 + */ + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, + OCSP_RESPID_free); + if (dsize > 0) + { + s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); + if (s->tlsext_ocsp_ids == NULL) + { + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + } + else + { + s->tlsext_ocsp_ids = NULL; + } + while (dsize > 0) { OCSP_RESPID *id; @@ -1271,14 +1292,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, *al = SSL_AD_DECODE_ERROR; return 0; } - if (!s->tlsext_ocsp_ids - && !(s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null())) - { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } if (!sk_OCSP_RESPID_push( s->tlsext_ocsp_ids, id)) {