Always ensure that init_msg is initialised for a CCS

We read it later in grow_init_buf(). If CCS is the first thing received in a flight, then it will use the init_msg from the last flight we received. If the init_buf has been grown in the meantime then it will point to some arbitrary other memory location. This is likely to result in grow_init_buf() attempting to grow to some excessively large amount which is likely to fail. In practice this should never happen because the only time we receive a CCS as the first thing in a flight is in an abbreviated handshake. None of the preceding messages from the server flight would be large enough to trigger this. Reviewed-by: N Rich Salz <rsalz@openssl.org>

Always ensure that init_msg is initialised for a CCS
We read it later in grow_init_buf(). If CCS is the first thing received in a flight, then it will use the init_msg from the last flight we received. If the init_buf has been grown in the meantime then it will point to some arbitrary other memory location. This is likely to result in grow_init_buf() attempting to grow to some excessively large amount which is likely to fail. In practice this should never happen because the only time we receive a CCS as the first thing in a flight is in an abbreviated handshake. None of the preceding messages from the server flight would be large enough to trigger this. Reviewed-by: N Rich Salz <rsalz@openssl.org>
c4377574 · Matt Caswell · 475592e2 · c4377574
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

ssl/statem/statem_lib.c ssl/statem/statem_lib.c +1 -0

未找到文件。
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -391,6 +391,7 @@ int tls_get_message_header(SSL *s, int *mt)
                }
                s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
                s->init_num = readbytes - 1;
+                s->init_msg = s->init_buf->data;
                s->s3->tmp.message_size = readbytes;
                return 1;
            } else if (recvd_type != SSL3_RT_HANDSHAKE) {