From 9007509db696d631ec557b9f8edca899c1f91c06 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 3 Feb 2019 14:03:46 +0000
Subject: Use malloc() and memcpy() the test X25519 x25519_peer_public value.

Otherwise, if tlsext_keyshare_server_build() fails we call free with a
pointer to static memory and bad things happen.

Reported by bcook@
---
 src/regress/lib/libssl/tlsext/tlsexttest.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index d9b048dbfc..06b855f6bb 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.27 2019/01/24 02:56:41 beck Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.28 2019/02/03 14:03:46 jsing Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -3269,13 +3269,16 @@ test_tlsext_keyshare_server(void)
 		goto done;
 	}
 
-	S3I(ssl)->hs_tls13.x25519_peer_public = bogokey;
+	if ((S3I(ssl)->hs_tls13.x25519_peer_public =
+	    malloc(sizeof(bogokey))) == NULL)
+		errx(1, "malloc failed");
+	memcpy(S3I(ssl)->hs_tls13.x25519_peer_public, bogokey, sizeof(bogokey));
+
 	if (!tlsext_keyshare_server_build(ssl, &cbb)) {
 		FAIL("server should be able to build a keyshare response");
 		failure = 1;
 		goto done;
 	}
-	S3I(ssl)->hs_tls13.x25519_peer_public = NULL;
 
 	if (!CBB_finish(&cbb, &data, &dlen)) {
 		FAIL("failed to finish CBB");
-- 
cgit v1.2.3-55-g6feb