Hello, Our UC-KLEE tool found an out-of-bounds write bug in ssl3_send_certificate_request (ssl/s3_srvr.c) caused by allocating an insufficiently large buffer. It appears that NETSCAPE_HANG_BUG is defined to append the 4-byte ServerDone message to the CertificateRequest message, but the necessary space is not requested by the allocation: if (!BUF_MEM_grow_clean(buf,4+n+j+2))
(I believe the hard-coded 4 in that line refers to the 4-byte message header for the CertificateRequest, not the subsequent ServerDone.) This bug affects OpenSSL 1.0.1 and likely other branches as well. Attached is a suggested patch, which is perhaps preferable to adding another opaque "+4" to the allocation site. Thanks, -David
ssl3_send_certificate_request-bufsize.patch
Description: Binary data
