CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2023/11/28 06:19:04
Modified files: lib/libssl : tls13_legacy.c Log message: Switch to legacy method late in tls13_use_legacy_stack() If memory allocation of s->init_buf fails in ssl3_setup_init_buffer() during downgrade to the legacy stack, the legacy state machine would resume with an incorrectly set up SSL, resulting in a NULL dereference. The fix is to switch to the legacy method only after the SSL is fully set up. There is a second part to this fix, which will be committed once we manage to agree on the color of the bikeshed. Detailed analysis and patch from Masaru Masuda, many thanks! https://github.com/libressl/openbsd/issues/146 ok jsing