Avoid questionable use of the value of a pointer

that refers to space deallocated by a call to the free function in tls_decrypt_ticket. Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2897) (cherry picked from commit 13ed1afa923f4ffb553e389de08f26e9ce84e8a2)

Avoid questionable use of the value of a pointer
that refers to space deallocated by a call to the free function in tls_decrypt_ticket. Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2897) (cherry picked from commit 13ed1afa923f4ffb553e389de08f26e9ce84e8a2)
d3bc9805 · Bernd Edlinger · Rich Salz · 22cef4e1 · d3bc9805
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

ssl/t1_lib.c ssl/t1_lib.c +2 -1

未找到文件。
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1311,10 +1311,11 @@ TICKET_RETURN tls_decrypt_ticket(SSL *s, const unsigned char *etick,
    p = sdec;

    sess = d2i_SSL_SESSION(NULL, &p, slen);
+    slen -= p - sdec;
    OPENSSL_free(sdec);
    if (sess) {
        /* Some additional consistency checks */
-        if (p != sdec + slen || sess->session_id_length != 0) {
+        if (slen != 0 || sess->session_id_length != 0) {
            SSL_SESSION_free(sess);
            return TICKET_NO_DECRYPT;
        }