In ssl3_send_certificate_request(), when adding the extra payload if

NETSCAPE_HANG_BUG is defined, make sure we BUF_MEM_grow() the buffer to
accomodate for the payload size.

Issue reported by David Ramos; ok beck@

1 files changed, 6 insertions, 1 deletions

diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 081aebf1f5d..decf35d50fe 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1988,7 +1988,12 @@ ssl3_send_certificate_request(SSL *s)
 		s->init_num = n + 4;
 		s->init_off = 0;
 #ifdef NETSCAPE_HANG_BUG
-		p = (unsigned char *)s->init_buf->data + s->init_num;
+		if (!BUF_MEM_grow(buf, s->init_num + 4)) {
+			SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,
+			    ERR_R_BUF_LIB);
+			goto err;
+		}
+		p = (unsigned char *)buf->data + s->init_num;
 
 		/* do the header */
 		*(p++) = SSL3_MT_SERVER_DONE;