In ssl3_GatherData, the value of gs->inbuf.len was incorrect during the

GS_HEADER state.  It should be correct in all states.
In ssl_DestroyGather, prior to freeing the buffers, the code zeroed out
the ciphertext buffer.  It now zeros out the plaintext buffer instead.
Fixes bug 61784.

2 files changed, 6 insertions, 6 deletions

diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
index 909850e94..2937e6c3c 100644
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -76,6 +76,7 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
 	gs->offset      = 0;
 	gs->writeOffset = 0;
 	gs->readOffset  = 0;
+	gs->inbuf.len   = 0;
     }
     
     lbp = gs->inbuf.buf;
@@ -108,8 +109,9 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
 	}
 
 	gs->offset    += nb;
-	gs->inbuf.len += nb;
 	gs->remainder -= nb;
+	if (gs->state == GS_DATA)
+	    gs->inbuf.len += nb;
 
 	/* if there's more to go, read some more. */
 	if (gs->remainder > 0) {
diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c
index 737a55c9b..e9176172f 100644
--- a/security/nss/lib/ssl/sslgathr.c
+++ b/security/nss/lib/ssl/sslgathr.c
@@ -436,11 +436,9 @@ ssl_NewGather(void)
 void 
 ssl_DestroyGather(sslGather *gs)
 {
-    if (gs->inbuf.buf != NULL) {
-	PORT_ZFree(gs->inbuf.buf, gs->inbuf.len);
-    }
-    if (gs) {
-	PORT_Free(gs->buf.buf);
+    if (gs) {	/* the PORT_*Free functions check for NULL pointers. */
+	PORT_ZFree(gs->buf.buf, gs->buf.space);
+	PORT_Free(gs->inbuf.buf);
 	PORT_Free(gs);
     }
 }