commit f7db5e0a4a8b1de5154e154ec2097ae867fd7380
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Feb 18 10:32:41 2015 +0000
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Feb 18 10:32:41 2015 +0000
tree d30464508c4585d69ced4bd25b90a974a5dd6b56
parent f45850c493485a8fdc7b29f78108640430dfa66a

Avoid possible dangling pointers

If the allocation fails, we don't really want ssl->in_ctr = 8 lying around.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6c27dac..d1caf49 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3628,23 +3628,8 @@
     /*
      * Prepare base structures
      */
-    ssl->in_ctr = polarssl_malloc( len );
-    ssl->in_hdr = ssl->in_ctr +  8;
-    ssl->in_iv  = ssl->in_ctr + 13;
-    ssl->in_msg = ssl->in_ctr + 13;
-
-    if( ssl->in_ctr == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    ssl->out_ctr = polarssl_malloc( len );
-    ssl->out_hdr = ssl->out_ctr +  8;
-    ssl->out_iv  = ssl->out_ctr + 13;
-    ssl->out_msg = ssl->out_ctr + 13;
-
-    if( ssl->out_ctr == NULL )
+    if( ( ssl->in_ctr = polarssl_malloc( len ) ) == NULL ||
+        ( ssl->out_ctr = polarssl_malloc( len ) ) == NULL )
     {
         SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
         polarssl_free( ssl->in_ctr );
@@ -3655,6 +3640,14 @@
     memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
     memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
 
+    ssl->in_hdr = ssl->in_ctr +  8;
+    ssl->in_iv  = ssl->in_ctr + 13;
+    ssl->in_msg = ssl->in_ctr + 13;
+
+    ssl->out_hdr = ssl->out_ctr +  8;
+    ssl->out_iv  = ssl->out_ctr + 13;
+    ssl->out_msg = ssl->out_ctr + 13;
+
 #if defined(POLARSSL_SSL_ENCRYPT_THEN_MAC)
     ssl->encrypt_then_mac = SSL_ETM_ENABLED;
 #endif