CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2023/11/28 06:19:04
Modified files:
lib/libssl : tls13_legacy.c
Log message:
Switch to legacy method late in tls13_use_legacy_stack()
If memory allocation of s->init_buf fails in ssl3_setup_init_buffer()
during downgrade to the legacy stack, the legacy state machine would
resume with an incorrectly set up SSL, resulting in a NULL dereference.
The fix is to switch to the legacy method only after the SSL is fully
set up. There is a second part to this fix, which will be committed
once we manage to agree on the color of the bikeshed.
Detailed analysis and patch from Masaru Masuda, many thanks!
https://github.com/libressl/openbsd/issues/146
ok jsing
