on today's episode of things you didn't want to learn:

do_ssl3_write() is recursive. and not in the simple, obvious way, but in
the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia)
this then has a decent chance of releasing the buffer that we thought we
were going to use. check for this happening, and if the buffer has gone
missing, put another one back in place.
the direct recursive call is safe because it won't call ssl3_write_pending
which is the function that actually does do the writing and releasing.
as reported by David Ramos to openssl-dev:
http://marc.info/?l=openssl-dev&m=139809493725682&w=2
ok beck

diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c
index 60c5114..5ef25a4 100644 (file)
--- a/lib/libssl/s3_pkt.c
+++ b/lib/libssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                if (i <= 0)
                        return (i);
                /* if it went, fall through and send more stuff */
+               /* we may have released our buffer, so get it again */
+               if (wb->buf == NULL)
+                       if (!ssl3_setup_write_buffer(s))
+                               return -1;
        }
 
        if (len == 0 && !create_empty_fragment)

diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c
index 60c5114..5ef25a4 100644 (file)
--- a/lib/libssl/src/ssl/s3_pkt.c
+++ b/lib/libssl/src/ssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                if (i <= 0)
                        return (i);
                /* if it went, fall through and send more stuff */
+               /* we may have released our buffer, so get it again */
+               if (wb->buf == NULL)
+                       if (!ssl3_setup_write_buffer(s))
+                               return -1;
        }
 
        if (len == 0 && !create_empty_fragment)