From c437757466e7bef632b26eaaf429a9e693330999 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 3 Nov 2016 13:21:28 +0000 Subject: [PATCH] Always ensure that init_msg is initialised for a CCS We read it later in grow_init_buf(). If CCS is the first thing received in a flight, then it will use the init_msg from the last flight we received. If the init_buf has been grown in the meantime then it will point to some arbitrary other memory location. This is likely to result in grow_init_buf() attempting to grow to some excessively large amount which is likely to fail. In practice this should never happen because the only time we receive a CCS as the first thing in a flight is in an abbreviated handshake. None of the preceding messages from the server flight would be large enough to trigger this. Reviewed-by: Rich Salz --- ssl/statem/statem_lib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 990510a06b..24159da3e7 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -391,6 +391,7 @@ int tls_get_message_header(SSL *s, int *mt) } s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; s->init_num = readbytes - 1; + s->init_msg = s->init_buf->data; s->s3->tmp.message_size = readbytes; return 1; } else if (recvd_type != SSL3_RT_HANDSHAKE) { -- 2.25.1