In ssl3_send_certificate_request(), when adding the extra payload if

NETSCAPE_HANG_BUG is defined, make sure we BUF_MEM_grow() the buffer to
accomodate for the payload size.

Issue reported by David Ramos; ok beck@

diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c
index 081aebf..decf35d 100644 (file)
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
                s->init_num = n + 4;
                s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-               p = (unsigned char *)s->init_buf->data + s->init_num;
+               if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+                       SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+                           ERR_R_BUF_LIB);
+                       goto err;
+               }
+               p = (unsigned char *)buf->data + s->init_num;
 
                /* do the header */
                *(p++) = SSL3_MT_SERVER_DONE;

diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 081aebf..decf35d 100644 (file)
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
                s->init_num = n + 4;
                s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-               p = (unsigned char *)s->init_buf->data + s->init_num;
+               if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+                       SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+                           ERR_R_BUF_LIB);
+                       goto err;
+               }
+               p = (unsigned char *)buf->data + s->init_num;
 
                /* do the header */
                *(p++) = SSL3_MT_SERVER_DONE;