From: Matt Caswell <matt@openssl.org>
Date: Fri, 23 Sep 2016 15:41:50 +0000 (+0100)
Subject: Fix a WPACKET bug
X-Git-Tag: OpenSSL_1_1_1-pre1~3462
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f789b04f407c2003da62d2b91b587629f1a781d0;p=oweals%2Fopenssl.git

Fix a WPACKET bug

If we request more bytes to be allocated than double what we have already
written, then we grow the buffer by the wrong amount.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
---

diff --git a/ssl/packet.c b/ssl/packet.c
index 0e8e8764dd..4077de5c33 100644
--- a/ssl/packet.c
+++ b/ssl/packet.c
@@ -24,12 +24,16 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes)
 
     if (pkt->buf->length - pkt->written < len) {
         size_t newlen;
+        size_t reflen;
 
-        if (pkt->buf->length > SIZE_MAX / 2) {
+        reflen = (len > pkt->buf->length) ? len : pkt->buf->length;
+
+        if (reflen > SIZE_MAX / 2) {
             newlen = SIZE_MAX;
         } else {
-            newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE
-                                             : pkt->buf->length * 2;
+            newlen = reflen * 2;
+            if (newlen < DEFAULT_BUF_SIZE)
+                newlen = DEFAULT_BUF_SIZE;
         }
         if (BUF_MEM_grow(pkt->buf, newlen) == 0)
             return 0;