From 33460cdfb84b1777ff82f46bb74096d11b773df1 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 3 Apr 2020 17:03:47 +0200
Subject: [PATCH] ssl: fix handshake cert buffer sizing

'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.

Bug: #3609
---
 src/app-layer-ssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 599774e196..d8a2638fa2 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1436,7 +1436,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
             if (ssl_state->curr_connp->trec_pos + input_len >=
                     ssl_state->curr_connp->trec_len) {
                 ssl_state->curr_connp->trec_len =
-                        ssl_state->curr_connp->trec_len + 2 * input_len + 1;
+                        ssl_state->curr_connp->trec_pos + 2 * input_len + 1;
                 ptmp = SCRealloc(ssl_state->curr_connp->trec,
                         ssl_state->curr_connp->trec_len);
 
-- 
2.47.2