1 |
From e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Mon Sep 17 00:00:00 2001 |
2 |
From: tedu <tedu> |
3 |
Date: Thu, 24 Apr 2014 04:31:30 +0000 |
4 |
Subject: on today's episode of things you didn't want to learn: |
5 |
do_ssl3_write() is recursive. and not in the simple, obvious way, but in the |
6 |
sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this |
7 |
then has a decent chance of releasing the buffer that we thought we were |
8 |
going to use. check for this happening, and if the buffer has gone missing, |
9 |
put another one back in place. the direct recursive call is safe because it |
10 |
won't call ssl3_write_pending which is the function that actually does do the |
11 |
writing and releasing. as reported by David Ramos to openssl-dev: |
12 |
http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck |
13 |
|
14 |
|
15 |
diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c |
16 |
index 60c5114..5ef25a4 100644 |
17 |
--- a/lib/libssl/src/ssl/s3_pkt.c |
18 |
+++ b/lib/libssl/src/ssl/s3_pkt.c |
19 |
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ |
20 |
if (i <= 0) |
21 |
return(i); |
22 |
/* if it went, fall through and send more stuff */ |
23 |
+ /* we may have released our buffer, so get it again */ |
24 |
+ if (wb->buf == NULL) |
25 |
+ if (!ssl3_setup_write_buffer(s)) |
26 |
+ return -1; |
27 |
} |
28 |
|
29 |
if (len == 0 && !create_empty_fragment) |
30 |
-- |
31 |
cgit v0.9.2-21-gd62e |