From fa2a1385eafb1606bd49c1fcff4939f255fd81e6 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 3 Apr 2020 17:03:47 +0200
Subject: [PATCH] ssl: fix handshake cert buffer sizing

'trec' buffer was not grown properly when it was checked as too small.
After this it wasn't checked again so that copying into the buffer could
overflow it.
---
 src/app-layer-ssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 8787783d76..691a3e7b3c 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1408,7 +1408,7 @@ static int SSLv3ParseHandshakeType(SSLState *ssl_state, const uint8_t *input,
             if (ssl_state->curr_connp->trec_pos + input_len >=
                     ssl_state->curr_connp->trec_len) {
                 ssl_state->curr_connp->trec_len =
-                        ssl_state->curr_connp->trec_len + 2 * input_len + 1;
+                        ssl_state->curr_connp->trec_pos + 2 * input_len + 1;
                 ptmp = SCRealloc(ssl_state->curr_connp->trec,
                         ssl_state->curr_connp->trec_len);