In ssl3_send_certificate_request(), when adding the extra payload if

NETSCAPE_HANG_BUG is defined, make sure we BUF_MEM_grow() the buffer to
accomodate for the payload size.

Issue reported by David Ramos; ok beck@

2 files changed, 12 insertions, 2 deletions

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 081aebf1f5..decf35d50f 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
                 s->init_num = n + 4;
                 s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-                p = (unsigned char *)s->init_buf->data + s->init_num;
+                if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+                        SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+                            ERR_R_BUF_LIB);
+                        goto err;
+                }
+                p = (unsigned char *)buf->data + s->init_num;
 
                 /* do the header */
                 *(p++) = SSL3_MT_SERVER_DONE;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 081aebf1f5..decf35d50f 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
                 s->init_num = n + 4;
                 s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-                p = (unsigned char *)s->init_buf->data + s->init_num;
+                if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+                        SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+                            ERR_R_BUF_LIB);
+                        goto err;
+                }
+                p = (unsigned char *)buf->data + s->init_num;
 
                 /* do the header */
                 *(p++) = SSL3_MT_SERVER_DONE;