From: Matt Caswell <matt@openssl.org>
Date: Wed, 1 Mar 2017 11:20:30 +0000 (+0000)
Subject: Fix a compression bug
X-Git-Tag: OpenSSL_1_1_1-pre1~2182
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f33f9ddefbb34584acb73c51e286f9913af96534;p=oweals%2Fopenssl.git

Fix a compression bug

do_ssl3_write() was crashing when compression was enabled. We calculate
the maximum length that a record will be after compression and reserve
those bytes in the WPACKET. Unfortunately we were adding the maximum
compression overhead onto the wrong variable resulting in a corrupted
record.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
---

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 37f7cd378b..5aea4b31bd 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -791,7 +791,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         maxcomplen = pipelens[j];
         if (s->compress != NULL)
-            pipelens[j] += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+            maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
 
         /* write the header */
         if (!WPACKET_put_bytes_u8(thispkt, rectype)