Fix a compression bug
authorMatt Caswell <matt@openssl.org>
Wed, 1 Mar 2017 11:20:30 +0000 (11:20 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 2 Mar 2017 16:49:28 +0000 (16:49 +0000)
do_ssl3_write() was crashing when compression was enabled. We calculate
the maximum length that a record will be after compression and reserve
those bytes in the WPACKET. Unfortunately we were adding the maximum
compression overhead onto the wrong variable resulting in a corrupted
record.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)

ssl/record/rec_layer_s3.c

index 37f7cd378bdba22187532370733d52563b90c64c..5aea4b31bdd6262327432c361a8ade2faef3110f 100644 (file)
@@ -791,7 +791,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         maxcomplen = pipelens[j];
         if (s->compress != NULL)
-            pipelens[j] += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+            maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
 
         /* write the header */
         if (!WPACKET_put_bytes_u8(thispkt, rectype)