From: Victor Julien <victor@inliniac.net>
Date: Fri, 3 Apr 2020 15:03:47 +0000 (+0200)
Subject: ssl: fix handshake cert buffer sizing
X-Git-Tag: suricata-5.0.3~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33460cdfb84b1777ff82f46bb74096d11b773df1;p=thirdparty%2Fsuricata.git

ssl: fix handshake cert buffer sizing

'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.

Bug: #3609
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 599774e196..d8a2638fa2 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1436,7 +1436,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
             if (ssl_state->curr_connp->trec_pos + input_len >=
                     ssl_state->curr_connp->trec_len) {
                 ssl_state->curr_connp->trec_len =
-                        ssl_state->curr_connp->trec_len + 2 * input_len + 1;
+                        ssl_state->curr_connp->trec_pos + 2 * input_len + 1;
                 ptmp = SCRealloc(ssl_state->curr_connp->trec,
                         ssl_state->curr_connp->trec_len);