| 1 |
From e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Mon Sep 17 00:00:00 2001 |
| 2 |
From: tedu <tedu> |
| 3 |
Date: Thu, 24 Apr 2014 04:31:30 +0000 |
| 4 |
Subject: on today's episode of things you didn't want to learn: |
| 5 |
do_ssl3_write() is recursive. and not in the simple, obvious way, but in the |
| 6 |
sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this |
| 7 |
then has a decent chance of releasing the buffer that we thought we were |
| 8 |
going to use. check for this happening, and if the buffer has gone missing, |
| 9 |
put another one back in place. the direct recursive call is safe because it |
| 10 |
won't call ssl3_write_pending which is the function that actually does do the |
| 11 |
writing and releasing. as reported by David Ramos to openssl-dev: |
| 12 |
http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck |
| 13 |
|
| 14 |
|
| 15 |
diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c |
| 16 |
index 60c5114..5ef25a4 100644 |
| 17 |
--- a/lib/libssl/src/ssl/s3_pkt.c |
| 18 |
+++ b/lib/libssl/src/ssl/s3_pkt.c |
| 19 |
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ |
| 20 |
if (i <= 0) |
| 21 |
return(i); |
| 22 |
/* if it went, fall through and send more stuff */ |
| 23 |
+ /* we may have released our buffer, so get it again */ |
| 24 |
+ if (wb->buf == NULL) |
| 25 |
+ if (!ssl3_setup_write_buffer(s)) |
| 26 |
+ return -1; |
| 27 |
} |
| 28 |
|
| 29 |
if (len == 0 && !create_empty_fragment) |
| 30 |
-- |
| 31 |
cgit v0.9.2-21-gd62e |
Parent Directory
| 
Revision Log