From: Jay Satiro <raysatiro@yahoo.com>
Date: Wed, 6 Sep 2017 21:39:21 +0000 (+0200)
Subject: vtls: fix memory corruption
X-Git-Tag: curl-7_56_0~87
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=955c21939e58c8ba59877fbb7d628445143241d1;p=thirdparty%2Fcurl.git

vtls: fix memory corruption

Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
2017-07-28), the code handling HTTPS proxies was broken because the
pointer to the SSL backend data was not swapped between
conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
instead set to NULL (causing segmentation faults).

[jes: provided the commit message, tested and verified the patch]

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index a1a301e7f2..52f9228410 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -206,10 +206,20 @@ ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
   DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]);
   if(ssl_connection_complete == conn->ssl[sockindex].state &&
      !conn->proxy_ssl[sockindex].use) {
+    struct ssl_backend_data *pbdata;
+
     if(!Curl_ssl->support_https_proxy)
       return CURLE_NOT_BUILT_IN;
+
+    /* The pointers to the ssl backend data, which is opaque here, are swapped
+       rather than move the contents. */
+    pbdata = conn->proxy_ssl[sockindex].backend;
     conn->proxy_ssl[sockindex] = conn->ssl[sockindex];
+
     memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex]));
+    memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data);
+
+    conn->ssl[sockindex].backend = pbdata;
   }
   return CURLE_OK;
 }