From: Victor Julien <victor@inliniac.net>
Date: Fri, 3 Apr 2020 15:03:47 +0000 (+0200)
Subject: ssl: fix handshake cert buffer sizing
X-Git-Tag: suricata-6.0.0-beta1~453
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa2a1385eafb1606bd49c1fcff4939f255fd81e6;p=thirdparty%2Fsuricata.git

ssl: fix handshake cert buffer sizing

'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 8787783d76..691a3e7b3c 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1408,7 +1408,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
             if (ssl_state->curr_connp->trec_pos + input_len >=
                     ssl_state->curr_connp->trec_len) {
                 ssl_state->curr_connp->trec_len =
-                        ssl_state->curr_connp->trec_len + 2 * input_len + 1;
+                        ssl_state->curr_connp->trec_pos + 2 * input_len + 1;
                 ptmp = SCRealloc(ssl_state->curr_connp->trec,
                         ssl_state->curr_connp->trec_len);