From 07cfa1a278f7bbdc024101f7601144c23cca9b80 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Sun, 18 May 2014 16:10:26 +0000
Subject: In ssl3_send_certificate_request(), when adding the extra payload if
 NETSCAPE_HANG_BUG is defined, make sure we BUF_MEM_grow() the buffer to
 accomodate for the payload size.

Issue reported by David Ramos; ok beck@
---
 src/lib/libssl/s3_srvr.c         | 7 ++++++-
 src/lib/libssl/src/ssl/s3_srvr.c | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 081aebf1f5..decf35d50f 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
 		s->init_num = n + 4;
 		s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-		p = (unsigned char *)s->init_buf->data + s->init_num;
+		if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+			SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+			    ERR_R_BUF_LIB);
+			goto err;
+		}
+		p = (unsigned char *)buf->data + s->init_num;
 
 		/* do the header */
 		*(p++) = SSL3_MT_SERVER_DONE;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 081aebf1f5..decf35d50f 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
 		s->init_num = n + 4;
 		s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-		p = (unsigned char *)s->init_buf->data + s->init_num;
+		if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+			SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+			    ERR_R_BUF_LIB);
+			goto err;
+		}
+		p = (unsigned char *)buf->data + s->init_num;
 
 		/* do the header */
 		*(p++) = SSL3_MT_SERVER_DONE;
-- 
cgit v1.2.3-55-g6feb