[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Nov 7 15:30:46 UTC 2016

The branch master has been updated
       via  c437757466e7bef632b26eaaf429a9e693330999 (commit)
      from  475592e2419c5cb3098dfea4c9229d0c09ea7010 (commit)

- Log -----------------------------------------------------------------
commit c437757466e7bef632b26eaaf429a9e693330999
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Nov 3 13:21:28 2016 +0000

    Always ensure that init_msg is initialised for a CCS
    We read it later in grow_init_buf(). If CCS is the first thing received in
    a flight, then it will use the init_msg from the last flight we received. If
    the init_buf has been grown in the meantime then it will point to some
    arbitrary other memory location. This is likely to result in grow_init_buf()
    attempting to grow to some excessively large amount which is likely to
    fail. In practice this should never happen because the only time we receive
    a CCS as the first thing in a flight is in an abbreviated handshake. None
    of the preceding messages from the server flight would be large enough to
    trigger this.
    Reviewed-by: Rich Salz <rsalz at openssl.org>


Summary of changes:
 ssl/statem/statem_lib.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 990510a..24159da 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -391,6 +391,7 @@ int tls_get_message_header(SSL *s, int *mt)
                 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
                 s->init_num = readbytes - 1;
+                s->init_msg = s->init_buf->data;
                 s->s3->tmp.message_size = readbytes;
                 return 1;
             } else if (recvd_type != SSL3_RT_HANDSHAKE) {

More information about the openssl-commits mailing list