From 716302c2cd59f96ecd96f949db92576d204cabae Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 9 Feb 2016 23:37:14 +0100
Subject: mbedtls: fix ALPN usage segfault

Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.

Closes #642
---
 lib/vtls/mbedtls.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'lib/vtls')

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index cc71f59d9..cf8996786 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -384,19 +384,21 @@ mbedtls_connect_step1(struct connectdata *conn,
 
 #ifdef HAS_ALPN
   if(data->set.ssl_enable_alpn) {
-    const char *protocols[3];
-    const char **p = protocols;
+    const char **p = &connssl->protocols[0];
 #ifdef USE_NGHTTP2
     if(data->set.httpversion >= CURL_HTTP_VERSION_2)
       *p++ = NGHTTP2_PROTO_VERSION_ID;
 #endif
     *p++ = ALPN_HTTP_1_1;
     *p = NULL;
-    if(mbedtls_ssl_conf_alpn_protocols(&connssl->config, protocols)) {
+    /* this function doesn't clone the protocols array, which is why we need
+       to keep it around */
+    if(mbedtls_ssl_conf_alpn_protocols(&connssl->config,
+                                       &connssl->protocols[0])) {
       failf(data, "Failed setting ALPN protocols");
       return CURLE_SSL_CONNECT_ERROR;
     }
-    for(p = protocols; *p; ++p)
+    for(p = &connssl->protocols[0]; *p; ++p)
       infof(data, "ALPN, offering %s\n", *p);
   }
 #endif
-- 
cgit v1.2.3