From: tedu Date: Thu, 24 Apr 2014 04:31:30 +0000 (+0000) Subject: on today's episode of things you didn't want to learn: X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=07594ff0b2c66402ac844e0ecdd49438ad371a00;p=openbsd on today's episode of things you didn't want to learn: do_ssl3_write() is recursive. and not in the simple, obvious way, but in the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this then has a decent chance of releasing the buffer that we thought we were going to use. check for this happening, and if the buffer has gone missing, put another one back in place. the direct recursive call is safe because it won't call ssl3_write_pending which is the function that actually does do the writing and releasing. as reported by David Ramos to openssl-dev: http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck --- diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c index 60c51146acb..5ef25a4059f 100644 --- a/lib/libssl/s3_pkt.c +++ b/lib/libssl/s3_pkt.c @@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (i <= 0) return (i); /* if it went, fall through and send more stuff */ + /* we may have released our buffer, so get it again */ + if (wb->buf == NULL) + if (!ssl3_setup_write_buffer(s)) + return -1; } if (len == 0 && !create_empty_fragment) diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c index 60c51146acb..5ef25a4059f 100644 --- a/lib/libssl/src/ssl/s3_pkt.c +++ b/lib/libssl/src/ssl/s3_pkt.c @@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (i <= 0) return (i); /* if it went, fall through and send more stuff */ + /* we may have released our buffer, so get it again */ + if (wb->buf == NULL) + if (!ssl3_setup_write_buffer(s)) + return -1; } if (len == 0 && !create_empty_fragment)