vtls: fix memory corruption

author Jay Satiro <raysatiro@yahoo.com>

Wed, 6 Sep 2017 21:39:21 +0000 (23:39 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 7 Sep 2017 14:06:50 +0000 (16:06 +0200)
author Jay Satiro <raysatiro@yahoo.com>
Wed, 6 Sep 2017 21:39:21 +0000 (23:39 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 7 Sep 2017 14:06:50 +0000 (16:06 +0200)
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c

index a1a301e7f2e10b0a1d04de863084c97bd366d757..52f9228410169254ba50ce0eb8bb0a6276fec524 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -206,10 +206,20 @@ ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
    DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]);
    if(ssl_connection_complete == conn->ssl[sockindex].state &&
       !conn->proxy_ssl[sockindex].use) {
+    struct ssl_backend_data *pbdata;
+
      if(!Curl_ssl->support_https_proxy)
        return CURLE_NOT_BUILT_IN;
+
+    /* The pointers to the ssl backend data, which is opaque here, are swapped
+       rather than move the contents. */
+    pbdata = conn->proxy_ssl[sockindex].backend;
      conn->proxy_ssl[sockindex] = conn->ssl[sockindex];
+
      memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex]));
+    memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data);
+
+    conn->ssl[sockindex].backend = pbdata;
    }
    return CURLE_OK;
  }
author	Jay Satiro <raysatiro@yahoo.com>
	Wed, 6 Sep 2017 21:39:21 +0000 (23:39 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 7 Sep 2017 14:06:50 +0000 (16:06 +0200)