Apparently s->ctx could be NULL. (Coverity ID 147).

[openssl.git] / ssl / t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 9ad7c29a7d15d278c61e9df46300a7d692cd5995..3c6907f608faeef8ed2fd12d283baa1550311dbf 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1197,7 +1197,7 @@ int ssl_check_clienthello_tlsext(SSL *s)
         * Note: this must be called after servername callbacks in case 
         * the certificate has changed.
         */
-       if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
+       if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
@@ -1372,7 +1372,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
         * tell the callback
         */
        if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
-                       && s->ctx->tlsext_status_cb)
+                       && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
                /* Set resp to NULL, resplen to -1 so callback knows
@@ -1532,9 +1532,11 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
         * integrity checks on ticket.
         */
        mlen = HMAC_size(&hctx);
-       if (mlen <= 0)
+       if (mlen < 0)
+               {
+               EVP_CIPHER_CTX_cleanup(&ctx);
                return -1;
-
+               }
        eticklen -= mlen;
        /* Check HMAC of encrypted ticket */
        HMAC_Update(&hctx, etick, eticklen);