Dear LibreSSL developers,

we identified a security issues in LibreSSL 2.1.1.

Please confirm at your earliest convenience that you have received this vulnerability report. We will gladly work with you so you can successfully confirm and reproduce this issue.

Also note that this bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

We’ll be tracking this on:
[this URL]

Details:

For DTLS handshakes, in d1_srtp.c in function ssl_parse_clienthello_use_srtp_ext a stack is allocated (clnt) on line 333.

297 →       STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0, *srvr;
333 →       clnt = sk_SRTP_PROTECTION_PROFILE_new_null();

$2 = (struct stack_st_SRTP_PROTECTION_PROFILE *) 0x7b6220

If the branch on line 352 (mki_len != len) is taken, the clnt is freed on line 356 and a subsequent goto goes to done.

After the first free, clnt is non NULL
$3 = (struct stack_st_SRTP_PROTECTION_PROFILE *) 0x7b6220

Then, under done a second free occurs, triggering the double free condition.

385 done:
386 →       if (clnt)
387 →       →       sk_SRTP_PROTECTION_PROFILE_free(clnt);

Another use of 'goto done' is not freeing the clnt. The removal of the first free on line 356 should fix the issue.

Don’t hesitate to let us know if you have any questions!

Cheers
Felix