Fix NULL dereference in the case of an unexpected extension from a server.

Due to a typo, when a server sent an unknown extension, the extension
number would be taken from a NULL structure rather than from the
variable of the same name that's in the local scope.

BUG=517935

Change-Id: I29d5eb3c56cded40f6155a81556199f12439ae06
Reviewed-on: https://boringssl-review.googlesource.com/5650
Reviewed-by: Adam Langley <agl@google.com>

ssl/custom_extensions.c

diff --git a/ssl/custom_extensions.c b/ssl/custom_extensions.c
index d0bc257..a56c0f6 100644
--- a/ssl/custom_extensions.c
+++ b/ssl/custom_extensions.c
@@ -133,7 +133,7 @@
       /* Also, if we didn't send the extension, that's also unacceptable. */
       !(ssl->s3->tmp.custom_extensions.sent & (1u << index))) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
-    ERR_add_error_dataf("extension: %u", (unsigned)ext->value);
+    ERR_add_error_dataf("extension: %u", (unsigned)value);
     *out_alert = SSL_AD_DECODE_ERROR;
     return 0;
   }

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index ff43678..2c01f15 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3789,6 +3789,19 @@
 		},
 		flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
 	})
+
+	// Test an unknown extension from the server.
+	testCases = append(testCases, testCase{
+		testType: clientTest,
+		name:     "UnknownExtension-Client",
+		config: Config{
+			Bugs: ProtocolBugs{
+				CustomExtension: expectedContents,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_EXTENSION:",
+	})
 }
 
 func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {