Fix a WPACKET bug

If we request more bytes to be allocated than double what we have already written, then we grow the buffer by the wrong amount. Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-09-23 16:41:50 +0100
committer: Matt Caswell <matt@openssl.org> 2016-09-26 08:52:48 +0100
commit: f789b04f407c2003da62d2b91b587629f1a781d0 (patch)
tree: 8ffbfed5156fb42a86c206631bc3b2807057ff20 /ssl/packet.c
parent: 84d5549e692e63a16fa1b11603e4098fc31746e9 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/ssl/packet.c b/ssl/packet.c
index 0e8e8764dd..4077de5c33 100644
--- a/ssl/packet.c
+++ b/ssl/packet.c
@@ -24,12 +24,16 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes)
 
     if (pkt->buf->length - pkt->written < len) {
         size_t newlen;
+        size_t reflen;
 
-        if (pkt->buf->length > SIZE_MAX / 2) {
+        reflen = (len > pkt->buf->length) ? len : pkt->buf->length;
+
+        if (reflen > SIZE_MAX / 2) {
             newlen = SIZE_MAX;
         } else {
-            newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE
-                                             : pkt->buf->length * 2;
+            newlen = reflen * 2;
+            if (newlen < DEFAULT_BUF_SIZE)
+                newlen = DEFAULT_BUF_SIZE;
         }
         if (BUF_MEM_grow(pkt->buf, newlen) == 0)
             return 0;
author	Matt Caswell <matt@openssl.org>	2016-09-23 16:41:50 +0100
committer	Matt Caswell <matt@openssl.org>	2016-09-26 08:52:48 +0100
commit	f789b04f407c2003da62d2b91b587629f1a781d0 (patch)
tree	8ffbfed5156fb42a86c206631bc3b2807057ff20 /ssl/packet.c
parent	84d5549e692e63a16fa1b11603e4098fc31746e9 (diff)