From 56fd2aac201d881f9d656a5d41203f4335f4216b Mon Sep 17 00:00:00 2001
From: Andre Noll <maan@systemlinux.org>
Date: Mon, 26 Sep 2011 14:34:29 +0200
Subject: [PATCH] openssl RC4: Fix another invalid read.

Commit 11993981 fixed this bug for the RC4 sending function
but missed to change sc_recv_bin_buffer() accordingly.

This patch avoids the following invalid read detected by valgrind:

==23299== Invalid read of size 8
==23299==    at 0x510A020: RC4 (in /lib/libcrypto.so.0.9.8)
==23299==    by 0x408771: sc_recv_bin_buffer (crypt.c:313)
==23299==    by 0x40837F: sc_recv_buffer (crypt_common.c:331)
==23299==    by 0x4073C2: T.41 (client_common.c:139)
==23299==    by 0x407758: client_post_select (client_common.c:268)
==23299==    by 0x406A34: schedule (sched.c:71)
==23299==    by 0x405625: main (client.c:572)
==23299==  Address 0x613ccb8 is 3,992 bytes inside a block of size 3,999 alloc'd
==23299==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==23299==    by 0x405D9F: para_malloc (string.c:65)
==23299==    by 0x408741: sc_recv_bin_buffer (crypt.c:309)
==23299==    by 0x40837F: sc_recv_buffer (crypt_common.c:331)
==23299==    by 0x4073C2: T.41 (client_common.c:139)
==23299==    by 0x407758: client_post_select (client_common.c:268)
==23299==    by 0x406A34: schedule (sched.c:71)
==23299==    by 0x405625: main (client.c:572)
---
 crypt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypt.c b/crypt.c
index 5b7029d3..7b7c16d3 100644
--- a/crypt.c
+++ b/crypt.c
@@ -306,7 +306,7 @@ int sc_send_bin_buffer(struct stream_cipher_context *scc, char *buf,
 int sc_recv_bin_buffer(struct stream_cipher_context *scc, char *buf,
 		size_t size)
 {
-	unsigned char *tmp = para_malloc(size);
+	unsigned char *tmp = para_malloc(ROUND_UP(size, RC4_ALIGN));
 	ssize_t ret = recv(scc->fd, tmp, size, 0);
 
 	if (ret > 0)
-- 
2.39.5