projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 84d5549)
Fix a WPACKET bug
authorMatt Caswell <matt@openssl.org>
Fri, 23 Sep 2016 15:41:50 +0000 (16:41 +0100)
committerMatt Caswell <matt@openssl.org>
Mon, 26 Sep 2016 07:52:48 +0000 (08:52 +0100)
If we request more bytes to be allocated than double what we have already
written, then we grow the buffer by the wrong amount.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
ssl/packet.c patch | blob | history

diff --git a/ssl/packet.c b/ssl/packet.c
index 0e8e8764dd8dd0193d7666b4f13d43acbe368e64..4077de5c3351aef45f841f42d270867a36264c45 100644 (file)
--- a/ssl/packet.c
+++ b/ssl/packet.c
@@ -24,12 +24,16 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes)
 
     if (pkt->buf->length - pkt->written < len) {
         size_t newlen;
+        size_t reflen;
 
-        if (pkt->buf->length > SIZE_MAX / 2) {
+        reflen = (len > pkt->buf->length) ? len : pkt->buf->length;
+
+        if (reflen > SIZE_MAX / 2) {
             newlen = SIZE_MAX;
         } else {
-            newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE
-                                             : pkt->buf->length * 2;
+            newlen = reflen * 2;
+            if (newlen < DEFAULT_BUF_SIZE)
+                newlen = DEFAULT_BUF_SIZE;
         }
         if (BUF_MEM_grow(pkt->buf, newlen) == 0)
             return 0;
Unnamed repository; edit this file 'description' to name the repository.