Memory leak in fragment reassembly
An attacker can force a client to allocate memory without freeing it. The problem occurs in the routines otrl_message_receiving() and otrl_proto_fragment_accumulate().
Upon receiving each valid fragment, otrl_proto_fragment_accumulate() function calls realloc() to allocate a larger buffer for context->context_priv->fragment.
When the last fragment arrives, the buffer pointer is placed in *unfragmessagep and the local copy context->context_priv->fragment is set to NULL.
This value is returned to the calling function otrl_message_receiving() which (normally) frees it towards the end of that function.
In normal operation this is fine. However in the event that otrl_message_receiving() returns early (which it can due to e.g., an incorrect version) it will skip the call to free the buffer. This could let an attacker fill up memory until the application crashes.
(from redmine: created on 2014-06-25, closed on 2014-10-14)