summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsthen <>2014-05-01 14:17:41 +0000
committersthen <>2014-05-01 14:17:41 +0000
commit6b4aaa5fd8098da7212b3f78e87aa3e3ea7841ad (patch)
treec6040fab83efc8d37c67da3f68e601643c82fe02
parent70525c292b1667d006816cb471126fc381e9bd52 (diff)
downloadopenbsd-6b4aaa5fd8098da7212b3f78e87aa3e3ea7841ad.tar.gz
openbsd-6b4aaa5fd8098da7212b3f78e87aa3e3ea7841ad.tar.bz2
openbsd-6b4aaa5fd8098da7212b3f78e87aa3e3ea7841ad.zip
MFC, requested by deraadt@
-/-------------------------- revision 1.33 date: 2014/04/24 04:31:30; author: tedu; state: Exp; lines: +4 -0; on today's episode of things you didn't want to learn: do_ssl3_write() is recursive. and not in the simple, obvious way, but in the sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this then has a decent chance of releasing the buffer that we thought we were going to use. check for this happening, and if the buffer has gone missing, put another one back in place. the direct recursive call is safe because it won't call ssl3_write_pending which is the function that actually does do the writing and releasing. as reported by David Ramos to openssl-dev: http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck -/--------------------------
-rw-r--r--src/lib/libssl/src/ssl/s3_pkt.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 898f4a1107..04a47bf2cb 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
657 if (i <= 0) 657 if (i <= 0)
658 return(i); 658 return(i);
659 /* if it went, fall through and send more stuff */ 659 /* if it went, fall through and send more stuff */
660 /* we may have released our buffer, so get it again */
661 if (wb->buf == NULL)
662 if (!ssl3_setup_write_buffer(s))
663 return -1;
660 } 664 }
661 665
662 if (len == 0 && !create_empty_fragment) 666 if (len == 0 && !create_empty_fragment)