Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert

[openssl.git] / ssl / d1_both.c

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 46c70d8ad54c931827021c3560031a7aefa19c16..9bc61536101b5ccc4e1e0639d52249090d20a396 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -581,9 +581,12 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
         /*
          * msg_len is limited to 2^24, but is effectively checked against max
          * above
+         *
+         * Make buffer slightly larger than message length as a precaution
+         * against small OOB reads e.g. CVE-2016-6306
          */
         if (!BUF_MEM_grow_clean
-            (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
+            (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
             SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
             return SSL_AD_INTERNAL_ERROR;
         }