summaryrefslogtreecommitdiff
path: root/lib/libssl/s3_pkt.c
diff options
context:
space:
mode:
authorTed Unangst <tedu@cvs.openbsd.org>2014-04-24 04:31:31 +0000
committerTed Unangst <tedu@cvs.openbsd.org>2014-04-24 04:31:31 +0000
commit8de381d52ddae476babda225fd7fe891c92de19b (patch)
tree5d2cdc39f0e05c8b17e719f1ff0e755b0c354aa7 /lib/libssl/s3_pkt.c
parent91aed4ab1394b35ab2680c167570a282014e3bee (diff)
on today's episode of things you didn't want to learn:
do_ssl3_write() is recursive. and not in the simple, obvious way, but in the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this then has a decent chance of releasing the buffer that we thought we were going to use. check for this happening, and if the buffer has gone missing, put another one back in place. the direct recursive call is safe because it won't call ssl3_write_pending which is the function that actually does do the writing and releasing. as reported by David Ramos to openssl-dev: http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck
Diffstat (limited to 'lib/libssl/s3_pkt.c')
-rw-r--r--lib/libssl/s3_pkt.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c
index 60c51146acb..5ef25a4059f 100644
--- a/lib/libssl/s3_pkt.c
+++ b/lib/libssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (i <= 0)
return (i);
/* if it went, fall through and send more stuff */
+ /* we may have released our buffer, so get it again */
+ if (wb->buf == NULL)
+ if (!ssl3_setup_write_buffer(s))
+ return -1;
}
if (len == 0 && !create_empty_fragment)