Don't lookup zero length session ID.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 17 Oct 2007 17:31:57 +0000 (17:31 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 17 Oct 2007 17:31:57 +0000 (17:31 +0000)
PR: 1591

ssl/ssl_sess.c

index c408b07..2e44a7a 100644 (file)
@@ -435,10 +435,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                fatal = 1;
                goto err;
                }
-       else if (r == 0)
+       else if (r == 0 || (!ret || !len))
                goto err;
        else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #else
+       if (len == 0)
+               goto err;
        if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #endif
                {