From a71ebc8d6d8ed6ccde26b10d0d6b33d52abbd888 Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod@cvs.openbsd.org>
Date: Sun, 18 May 2014 16:10:27 +0000
Subject: In ssl3_send_certificate_request(), when adding the extra payload if
 NETSCAPE_HANG_BUG is defined, make sure we BUF_MEM_grow() the buffer to
 accomodate for the payload size.

Issue reported by David Ramos; ok beck@
---
 lib/libssl/s3_srvr.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 081aebf1f5d..decf35d50fe 100644
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
 		s->init_num = n + 4;
 		s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-		p = (unsigned char *)s->init_buf->data + s->init_num;
+		if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+			SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+			    ERR_R_BUF_LIB);
+			goto err;
+		}
+		p = (unsigned char *)buf->data + s->init_num;
 
 		/* do the header */
 		*(p++) = SSL3_MT_SERVER_DONE;
-- 
cgit v1.2.3