From: Matt Caswell Date: Thu, 3 Nov 2016 13:21:28 +0000 (+0000) Subject: Always ensure that init_msg is initialised for a CCS X-Git-Tag: OpenSSL_1_1_0c~25 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=992b3740a1f7b24771ccf29a52b0141c51b95933;p=oweals%2Fopenssl.git Always ensure that init_msg is initialised for a CCS We read it later in grow_init_buf(). If CCS is the first thing received in a flight, then it will use the init_msg from the last flight we received. If the init_buf has been grown in the meantime then it will point to some arbitrary other memory location. This is likely to result in grow_init_buf() attempting to grow to some excessively large amount which is likely to fail. In practice this should never happen because the only time we receive a CCS as the first thing in a flight is in an abbreviated handshake. None of the preceding messages from the server flight would be large enough to trigger this. Reviewed-by: Rich Salz (cherry picked from commit c437757466e7bef632b26eaaf429a9e693330999) --- diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 31a84e4428..637c610ac3 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -370,6 +370,7 @@ int tls_get_message_header(SSL *s, int *mt) } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; s->init_num = i - 1; + s->init_msg = s->init_buf->data; s->s3->tmp.message_size = i; return 1; } else if (recvd_type != SSL3_RT_HANDSHAKE) {