ssl: fix handshake cert buffer sizing

'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.

Bug: #3609

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 599774e196baa910e0d0136c26c6b44b0696f0ad..d8a2638fa251871ee11140933caee7260b4c80c5 100644 (file)
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1436,7 +1436,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
             if (ssl_state->curr_connp->trec_pos + input_len >=
                     ssl_state->curr_connp->trec_len) {
                 ssl_state->curr_connp->trec_len =
-                        ssl_state->curr_connp->trec_len + 2 * input_len + 1;
+                        ssl_state->curr_connp->trec_pos + 2 * input_len + 1;
                 ptmp = SCRealloc(ssl_state->curr_connp->trec,
                         ssl_state->curr_connp->trec_len);