Commit f789b04f authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix a WPACKET bug 



If we request more bytes to be allocated than double what we have already
written, then we grow the buffer by the wrong amount.

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
parent 84d5549e

ssl/packet.c

+7 −3
Original line number Diff line number Diff line
@@ -24,12 +24,16 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) 


    if (pkt->buf->length - pkt->written < len) {

        size_t newlen;

        size_t reflen;



        if (pkt->buf->length > SIZE_MAX / 2) {

        reflen = (len > pkt->buf->length) ? len : pkt->buf->length;



        if (reflen > SIZE_MAX / 2) {

            newlen = SIZE_MAX;

        } else {

            newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE

                                             : pkt->buf->length * 2;

            newlen = reflen * 2;

            if (newlen < DEFAULT_BUF_SIZE)

                newlen = DEFAULT_BUF_SIZE;

        }

        if (BUF_MEM_grow(pkt->buf, newlen) == 0)

            return 0;