From dedce0c35cf56353050c5406fc6a7fcd37554006 Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Tue, 8 Apr 2014 14:36:50 +0200
Subject: [PATCH] Prevent potential NULL pointer dereference in
 ssl_read_record()

---
 ChangeLog         | 2 ++
 library/ssl_tls.c | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2a7134d31..bb08fcd41 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -17,6 +17,8 @@ Security
      attack was already impossible when authentication is required).
    * Check notBefore timestamp of certificates and CRLs from the future.
    * Forbid sequence number wrapping
+   * Prevent potential NULL pointer dereference in ssl_read_record() (found by
+     TrustInSoft)
 
 Bugfix
    * Fixed X.509 hostname comparison (with non-regular characters)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 95ee96710..9c896b316 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1922,7 +1922,8 @@ int ssl_read_record( ssl_context *ssl )
             return( POLARSSL_ERR_SSL_INVALID_RECORD );
         }
 
-        ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+        if( ssl->state != SSL_HANDSHAKE_OVER )
+            ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
 
         return( 0 );
     }