From 2ddba8cd48f8c5d3d7658470140393d5158ee6d4 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@chromium.org>
Date: Wed, 18 Mar 2015 19:40:51 -0400
Subject: [PATCH] Check for RAND_bytes failures in the ClientHello.

(Imported from upstream's e1b568dd2462f7cacf98f3d117936c34e2849a6b.)

Our RAND_bytes secretly can't actually fail, but we should propagate the check
upwards.

Change-Id: Ieaaea98dad00bf73b1c0a42c039507d76b10ac78
Reviewed-on: https://boringssl-review.googlesource.com/4003
Reviewed-by: Adam Langley <agl@google.com>
---
 ssl/s3_clnt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5f891d4e..d0dc2bd1 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -629,8 +629,9 @@ int ssl3_send_client_hello(SSL *s) {
 
     /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
      * renegerate the client_random. The random must be reused. */
-    if (!SSL_IS_DTLS(s) || !s->d1->send_cookie) {
-      ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
+    if ((!SSL_IS_DTLS(s) || !s->d1->send_cookie) &&
+        !ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random))) {
+      goto err;
     }
 
     /* Do the message type and length last. Note: the final argument to