Flush TLS 1.3 certificate extensions.

(Otherwise we end up touching potentially unwound stack.) I looked into why our builders didn't catch this and it appears that, at least with Clang 3.7, ASAN doesn't notice this. Perhaps Clang at that version is being lazy about destructing the scoped CBB and so doesn't actually go wrong. Change-Id: Ia0f73e7eb662676439f024805fc8287a4e991ce0 Reviewed-on: https://boringssl-review.googlesource.com/12400 Reviewed-by: Adam Langley <agl@google.com>
2016-11-18 11:05:00 -08:00 · 2016-11-18 11:05:00 -08:00 · 6f5f49f33d
commit 6f5f49f33d
parent cfa08c3b77
1 changed files with 4 additions and 2 deletions
--- a/ssl/tls13_both.c
+++ b/ssl/tls13_both.c
@ -457,7 +457,8 @@ int tls13_prepare_certificate(SSL *ssl) {
    if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||
        !CBB_add_u16_length_prefixed(&extensions, &contents) ||
        !CBB_add_bytes(&contents, ssl->ctx->signed_cert_timestamp_list,
-                       ssl->ctx->signed_cert_timestamp_list_length)) {
+                       ssl->ctx->signed_cert_timestamp_list_length) ||
+        !CBB_flush(&extensions)) {
      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
      goto err;
    }
@ -471,7 +472,8 @@ int tls13_prepare_certificate(SSL *ssl) {
        !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
        !CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||
        !CBB_add_bytes(&ocsp_response, ssl->ctx->ocsp_response,
-                       ssl->ctx->ocsp_response_length)) {
+                       ssl->ctx->ocsp_response_length) ||
+        !CBB_flush(&extensions)) {
      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
      goto err;
    }