Fix array bounds violation in ssl_session_dup
authorBernd Edlinger <bernd.edlinger@hotmail.de>
Fri, 25 May 2018 06:06:55 +0000 (08:06 +0200)
committerBernd Edlinger <bernd.edlinger@hotmail.de>
Fri, 25 May 2018 06:06:55 +0000 (08:06 +0200)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6353)

ssl/ssl_sess.c

index 541f82a851a2e5f9e3b6fec0b5195d6f38dc2b7b..52ec670787a3d584a77399f135fe9531efd5bd29 100644 (file)
@@ -204,7 +204,8 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
     if (src->ext.supportedgroups) {
         dest->ext.supportedgroups =
             OPENSSL_memdup(src->ext.supportedgroups,
-                           src->ext.supportedgroups_len);
+                           src->ext.supportedgroups_len
+                                * sizeof(*src->ext.supportedgroups));
         if (dest->ext.supportedgroups == NULL)
             goto err;
     }