From f33f9ddefbb34584acb73c51e286f9913af96534 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 1 Mar 2017 11:20:30 +0000
Subject: [PATCH] Fix a compression bug

do_ssl3_write() was crashing when compression was enabled. We calculate
the maximum length that a record will be after compression and reserve
those bytes in the WPACKET. Unfortunately we were adding the maximum
compression overhead onto the wrong variable resulting in a corrupted
record.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
---
 ssl/record/rec_layer_s3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 37f7cd378b..5aea4b31bd 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -791,7 +791,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         maxcomplen = pipelens[j];
         if (s->compress != NULL)
-            pipelens[j] += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+            maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
 
         /* write the header */
         if (!WPACKET_put_bytes_u8(thispkt, rectype)
-- 
2.25.1