diff options
author | Matt Caswell <matt@openssl.org> | 2016-09-23 16:41:50 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-09-26 08:52:48 +0100 |
commit | f789b04f407c2003da62d2b91b587629f1a781d0 (patch) | |
tree | 8ffbfed5156fb42a86c206631bc3b2807057ff20 /ssl/packet.c | |
parent | 84d5549e692e63a16fa1b11603e4098fc31746e9 (diff) |
Fix a WPACKET bug
If we request more bytes to be allocated than double what we have already
written, then we grow the buffer by the wrong amount.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'ssl/packet.c')
-rw-r--r-- | ssl/packet.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/ssl/packet.c b/ssl/packet.c index 0e8e8764dd..4077de5c33 100644 --- a/ssl/packet.c +++ b/ssl/packet.c @@ -24,12 +24,16 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) if (pkt->buf->length - pkt->written < len) { size_t newlen; + size_t reflen; - if (pkt->buf->length > SIZE_MAX / 2) { + reflen = (len > pkt->buf->length) ? len : pkt->buf->length; + + if (reflen > SIZE_MAX / 2) { newlen = SIZE_MAX; } else { - newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE - : pkt->buf->length * 2; + newlen = reflen * 2; + if (newlen < DEFAULT_BUF_SIZE) + newlen = DEFAULT_BUF_SIZE; } if (BUF_MEM_grow(pkt->buf, newlen) == 0) return 0; |