diff options
| author | Miod Vallat <miod@cvs.openbsd.org> | 2014-05-18 16:10:27 +0000 |
|---|---|---|
| committer | Miod Vallat <miod@cvs.openbsd.org> | 2014-05-18 16:10:27 +0000 |
| commit | c44f9c310c6abefae85d2a86ba59a8b010a84777 (patch) | |
| tree | 9147ae8d674d27422612abe720c01e6b2938d3ba | |
| parent | 4940b67beeb8945d122cd3f7f152f45fcbc88618 (diff) | |
In ssl3_send_certificate_request(), when adding the extra payload if
NETSCAPE_HANG_BUG is defined, make sure we BUF_MEM_grow() the buffer to
accomodate for the payload size.
Issue reported by David Ramos; ok beck@
| -rw-r--r-- | lib/libssl/src/ssl/s3_srvr.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 081aebf1f5d..decf35d50fe 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s) s->init_num = n + 4; s->init_off = 0; #ifdef NETSCAPE_HANG_BUG - p = (unsigned char *)s->init_buf->data + s->init_num; + if (!BUF_MEM_grow(buf, s->init_num + 4)) { + SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, + ERR_R_BUF_LIB); + goto err; + } + p = (unsigned char *)buf->data + s->init_num; /* do the header */ *(p++) = SSL3_MT_SERVER_DONE; |