1 files changed, 14 insertions, 2 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 8c4261439a..f94469949c 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.133 2023/04/24 15:32:31 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.134 2023/04/24 16:55:06 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2247,9 +2247,13 @@ tlsext_randomize_build_order(SSL *s)
         size_t idx, new_idx, psk_idx;
         size_t alpn_idx, sni_idx;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
+        free(s->tlsext_build_order);
+        s->tlsext_build_order_len = 0;
+
+        if ((s->tlsext_build_order = calloc(s->tlsext_build_order_len,
             N_TLS_EXTENSIONS)) == NULL)
                 return 0;
+        s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
         /* RFC 8446, section 4.2: PSK must be the last extension in the CH. */
         psk_idx = N_TLS_EXTENSIONS - 1;
@@ -2292,6 +2296,14 @@ tlsext_linearize_build_order(SSL *s)
 {
         size_t idx;
 
+        free(s->tlsext_build_order);
+        s->tlsext_build_order_len = 0;
+
+        if ((s->tlsext_build_order = calloc(s->tlsext_build_order_len,
+            N_TLS_EXTENSIONS)) == NULL)
+                return 0;
+        s->tlsext_build_order_len = N_TLS_EXTENSIONS;
+
         for (idx = 0; idx < N_TLS_EXTENSIONS; idx++)
                 s->tlsext_build_order[idx] = &tls_extensions[idx];