Fix a crash on the SSL logic, when a state transition

to DoHandshakeReadComplete() is performed somewhere else
than on DoHandshakeRead().

BUG=11296
TEST=navigate to an SSL page (see the bug, and
crbug.com/1135 for a simpler test case).

Review URL: http://codereview.chromium.org/100269

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@15093 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 5 deletions

diff --git a/net/base/ssl_client_socket_win.cc b/net/base/ssl_client_socket_win.cc
index 19c94bc..e732e86 100644
--- a/net/base/ssl_client_socket_win.cc
+++ b/net/base/ssl_client_socket_win.cc
@@ -505,15 +505,19 @@ int SSLClientSocketWin::DoHandshakeRead() {
 }
 
 int SSLClientSocketWin::DoHandshakeReadComplete(int result) {
-  DCHECK(transport_buf_);
   if (result < 0) {
     transport_buf_ = NULL;
     return result;
   }
-  DCHECK_LE(result, kRecvBufferSize - bytes_received_);
-  char* buf = recv_buffer_.get() + bytes_received_;
-  memcpy(buf, transport_buf_->data(), result);
-  transport_buf_ = NULL;
+
+  if (transport_buf_) {
+    // A transition to STATE_HANDSHAKE_READ_COMPLETE is set in multiple places,
+    // not only in DoHandshakeRead(), so we may not have a transport_buf_.
+    DCHECK_LE(result, kRecvBufferSize - bytes_received_);
+    char* buf = recv_buffer_.get() + bytes_received_;
+    memcpy(buf, transport_buf_->data(), result);
+    transport_buf_ = NULL;
+  }
 
   if (result == 0 && !ignore_ok_result_)
     return ERR_SSL_PROTOCOL_ERROR;  // Incomplete response :(