vtls: fix memory corruption

Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data, 2017-07-28), the code handling HTTPS proxies was broken because the pointer to the SSL backend data was not swapped between conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but instead set to NULL (causing segmentation faults). [jes: provided the commit message, tested and verified the patch] Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
author: Jay Satiro <raysatiro@yahoo.com> 2017-09-06 23:39:21 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2017-09-07 16:06:50 +0200
commit: 955c21939e58c8ba59877fbb7d628445143241d1 (patch)
tree: b6f36bcce5b5d22f5bd7c3083f22e5ca7de207f7
parent: 4bb80d532e73045b06d23228b3a501d9f7c93acf (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index a1a301e7f..52f922841 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -206,10 +206,20 @@ ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
   DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]);
   if(ssl_connection_complete == conn->ssl[sockindex].state &&
      !conn->proxy_ssl[sockindex].use) {
+    struct ssl_backend_data *pbdata;
+
     if(!Curl_ssl->support_https_proxy)
       return CURLE_NOT_BUILT_IN;
+
+    /* The pointers to the ssl backend data, which is opaque here, are swapped
+       rather than move the contents. */
+    pbdata = conn->proxy_ssl[sockindex].backend;
     conn->proxy_ssl[sockindex] = conn->ssl[sockindex];
+
     memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex]));
+    memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data);
+
+    conn->ssl[sockindex].backend = pbdata;
   }
   return CURLE_OK;
 }
author	Jay Satiro <raysatiro@yahoo.com>	2017-09-06 23:39:21 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2017-09-07 16:06:50 +0200
commit	955c21939e58c8ba59877fbb7d628445143241d1 (patch)
tree	b6f36bcce5b5d22f5bd7c3083f22e5ca7de207f7
parent	4bb80d532e73045b06d23228b3a501d9f7c93acf (diff)