From 67da3deddd2d80b66310307620d7891a440ae2ce Mon Sep 17 00:00:00 2001
From: bnc <bnc@chromium.org>
Date: Thu, 15 Jan 2015 13:02:26 -0800
Subject: Fix dangling pointer in OpenSSL NPN fallback.

A copy assignment to |std::string proto| copies data, then |*out| takes its
address, and |proto| goes out of scope, freeing |**out|.  This CL replaces that
with a |const char*|, so that |*out| would point to the literal |char[]| defined
in NextProtoToString.

BUG=448428

Review URL: https://codereview.chromium.org/849243003

Cr-Commit-Position: refs/heads/master@{#311732}
---
 net/socket/ssl_client_socket_openssl.cc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index a78a7cf..504b702 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -11,6 +11,7 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#include <string.h>
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
@@ -1900,9 +1901,10 @@ int SSLClientSocketOpenSSL::SelectNextProtoCallback(unsigned char** out,
 
   // If we didn't find a protocol, we select the first one from our list.
   if (npn_status_ == kNextProtoNoOverlap) {
-    const std::string proto = NextProtoToString(ssl_config_.next_protos[0]);
-    *out = reinterpret_cast<uint8*>(const_cast<char*>(proto.data()));
-    *outlen = proto.size();
+    // NextProtoToString returns a pointer to a static string.
+    const char* proto = NextProtoToString(ssl_config_.next_protos[0]);
+    *out = reinterpret_cast<unsigned char*>(const_cast<char*>(proto));
+    *outlen = strlen(proto);
   }
 
   npn_proto_.assign(reinterpret_cast<const char*>(*out), *outlen);
-- 
cgit v1.1