SSL_set1_groups_list(): Fix memory corruption with 40 groups and more

Fixes #23624 The calculation of the size for gid_arr reallocation was wrong. A multiplication by gid_arr array item size was missing. Testcase is added. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23625)
author: Michael Baentsch <57787676+baentsch@users.noreply.github.com> 2024-02-19 06:41:35 +0100
committer: Tomas Mraz <tomas@openssl.org> 2024-02-22 12:48:21 +0100
commit: f4ed6eed2c8fcb1852938683669218655fe4f894 (patch)
tree: 36d38c2936c37723d3c5b9a5bcadb49564661d47 /ssl
parent: db511578f7822ed6aa47760adfdc08ef84a17698 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index de82d2b33a..ed40f1091b 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1049,7 +1049,8 @@ static int gid_cb(const char *elem, int len, void *arg)
         return 0;
     if (garg->gidcnt == garg->gidmax) {
         uint16_t *tmp =
-            OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT);
+            OPENSSL_realloc(garg->gid_arr,
+                            (garg->gidmax + GROUPLIST_INCREMENT) * sizeof(*garg->gid_arr));
         if (tmp == NULL)
             return 0;
         garg->gidmax += GROUPLIST_INCREMENT;
author	Michael Baentsch <57787676+baentsch@users.noreply.github.com>	2024-02-19 06:41:35 +0100
committer	Tomas Mraz <tomas@openssl.org>	2024-02-22 12:48:21 +0100
commit	f4ed6eed2c8fcb1852938683669218655fe4f894 (patch)
tree	36d38c2936c37723d3c5b9a5bcadb49564661d47 /ssl
parent	db511578f7822ed6aa47760adfdc08ef84a17698 (diff)