Increase wbuf by one byte to fix the bug reported by

[oweals/openssl.git] / ssl / s2_lib.c

diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 129ed89d970448a84cefd0b3fcff9423f0186917..a89958607cfd2800e03f5d0e90535891fa0ac704 100644 (file)
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -270,10 +270,16 @@ int ssl2_new(SSL *s)
        if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
        memset(s2,0,sizeof *s2);
 
+#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
+#  error "assertion failed"
+#endif
+
        if ((s2->rbuf=OPENSSL_malloc(
                SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+       /* wbuf needs one byte more because when using two-byte headers,
+        * we leave the first byte unused in do_ssl_write (s2_pkt.c) */
        if ((s2->wbuf=OPENSSL_malloc(
-               SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+               SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
        s->s2=s2;
 
        ssl2_clear(s);