From f0a36b9f78febba27b10781ea27c65ab1f85e385 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Thu, 24 Apr 2014 04:31:30 +0000
Subject: on today's episode of things you didn't want to learn:
 do_ssl3_write() is recursive. and not in the simple, obvious way, but in the
 sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this
 then has a decent chance of releasing the buffer that we thought we were
 going to use. check for this happening, and if the buffer has gone missing,
 put another one back in place. the direct recursive call is safe because it
 won't call ssl3_write_pending which is the function that actually does do the
 writing and releasing. as reported by David Ramos to openssl-dev:
 http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck

---
 src/lib/libssl/s3_pkt.c         | 4 ++++
 src/lib/libssl/src/ssl/s3_pkt.c | 4 ++++
 2 files changed, 8 insertions(+)

(limited to 'src/lib')

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 60c51146ac..5ef25a4059 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 		if (i <= 0)
 			return (i);
 		/* if it went, fall through and send more stuff */
+		/* we may have released our buffer, so get it again */
+		if (wb->buf == NULL)
+			if (!ssl3_setup_write_buffer(s))
+				return -1;
 	}
 
 	if (len == 0 && !create_empty_fragment)
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index 60c51146ac..5ef25a4059 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -619,6 +619,10 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 		if (i <= 0)
 			return (i);
 		/* if it went, fall through and send more stuff */
+		/* we may have released our buffer, so get it again */
+		if (wb->buf == NULL)
+			if (!ssl3_setup_write_buffer(s))
+				return -1;
 	}
 
 	if (len == 0 && !create_empty_fragment)
-- 
cgit v1.2.3-55-g6feb