ossl_rio_poll_builder_add_fd(): Fixup pfds after reallocation

Local variable `pfds` used in `ossl_rio_poll_builder_add_fd()` must be consistent
with `rpb->pfd_heap`. The function maintains array of SSL objects for SSL_poll(3ossl).
It works with no issues until we need to reallocate `rbp->pfd_heap` in `rpb_ensure_alloc()`.
After `rpb_ensure_alloc()` returns we must update local variable `pfds` with `rpb->pfd_heap`
not doing so makes function to write to dead buffer.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27804)

(cherry picked from commit 5ee8248d083c00583d52350ed9464bfb58d2f60c)

diff --git a/ssl/rio/poll_builder.c b/ssl/rio/poll_builder.c
index 3cfbe3b0acaa486b973bcbfa31a2153c1cc9da95..bd9317a8b8bbea6cb5af9418aaa6a50a29069004 100644 (file)
--- a/ssl/rio/poll_builder.c
+++ b/ssl/rio/poll_builder.c
@@ -115,8 +115,11 @@ int ossl_rio_poll_builder_add_fd(RIO_POLL_BUILDER *rpb, int fd,
     if (i >= rpb->pfd_alloc) {
         if (!rpb_ensure_alloc(rpb, rpb->pfd_alloc * 2))
             return 0;
+        pfds = rpb->pfd_heap;
     }
 
+    assert((rpb->pfd_heap != NULL && rpb->pfd_heap == pfds) ||
+           (rpb->pfd_heap == NULL && rpb->pfds == pfds));
     assert(i <= rpb->pfd_num && rpb->pfd_num <= rpb->pfd_alloc);
     pfds[i].fd      = fd;
     pfds[i].events  = 0;