Fix NULL dereference in the case of an unexpected extension from a server.
Due to a typo, when a server sent an unknown extension, the extension
number would be taken from a NULL structure rather than from the
variable of the same name that's in the local scope.
BUG=517935
Change-Id: I29d5eb3c56cded40f6155a81556199f12439ae06
Reviewed-on: https://boringssl-review.googlesource.com/5650
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/custom_extensions.c b/ssl/custom_extensions.c
index d0bc257..a56c0f6 100644
--- a/ssl/custom_extensions.c
+++ b/ssl/custom_extensions.c
@@ -133,7 +133,7 @@
/* Also, if we didn't send the extension, that's also unacceptable. */
!(ssl->s3->tmp.custom_extensions.sent & (1u << index))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
- ERR_add_error_dataf("extension: %u", (unsigned)ext->value);
+ ERR_add_error_dataf("extension: %u", (unsigned)value);
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index ff43678..2c01f15 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -3789,6 +3789,19 @@
},
flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
})
+
+ // Test an unknown extension from the server.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "UnknownExtension-Client",
+ config: Config{
+ Bugs: ProtocolBugs{
+ CustomExtension: expectedContents,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_EXTENSION:",
+ })
}
func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
