2 files changed, 22 insertions, 5 deletions

diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 0fa3149912..bf9305f396 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -505,6 +505,7 @@ ssl3_generate_export_iv(StringInfo* r1,
     SSL_MD5_CTX md5;
     guint8 tmp[16];
     
+    memset(&md5, 0, sizeof(md5));
     ssl_md5_init(&md5);
     ssl_md5_update(&md5,r1->data,r1->data_len);
     ssl_md5_update(&md5,r2->data,r2->data_len);
@@ -530,6 +531,7 @@ ssl3_prf(StringInfo* secret, const char* usage,
     
     rnd1=r1; rnd2=r2;
         
+    memset(&md5,0,sizeof(md5));
     ssl_md5_init(&md5);
     memset(&sha,0,sizeof(sha));
     ssl_sha_init(&sha);
@@ -729,6 +731,8 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session)
             
             SSL_MD5_CTX md5;
             ssl_debug_printf("ssl_generate_keyring_material MD5(client_random)\n");
+            
+            memset(&md5, 0, sizeof(md5));
             ssl_md5_init(&md5);
             ssl_md5_update(&md5,c_wk,ssl_session->cipher_suite.eff_bits/8);
             ssl_md5_update(&md5,ssl_session->client_random.data,
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 9cda2b0a38..d2139624b8 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2007,6 +2007,7 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
                     /* PAOLO: here we can have all the data to build session key*/
                     StringInfo encrypted_pre_master;
                     int ret;
+                    unsigned encrlen = length, skip = 0;
     
                     if (!ssl)
                         break;
@@ -2021,11 +2022,23 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
                         break;
                     }
                                 
-                    /* get encrypted data, we must skip tls record len && version and
-                     * 2 bytes of record data */
-                    encrypted_pre_master.data = se_alloc(length - 2);
-                    encrypted_pre_master.data_len = length-2;
-                    tvb_memcpy(tvb, encrypted_pre_master.data, offset+2, length-2);
+                    /* get encrypted data, on tls1 we have to byte to skip
+                     * (it's the encrypted len and should be equal to record len - 2) 
+                     */
+                    if (ssl->version == SSL_VER_TLS)
+                    {
+                        encrlen  = tvb_get_ntohs(tvb, offset);
+                        skip = 2;
+                        if (encrlen > length - 2)
+                        {
+                            ssl_debug_printf("dissect_ssl3_handshake wrong encrypted length (%d max %d)\n",
+                                encrlen, length);
+                            break;
+                        }
+                    }
+                    encrypted_pre_master.data = se_alloc(encrlen);
+                    encrypted_pre_master.data_len = encrlen;
+                    tvb_memcpy(tvb, encrypted_pre_master.data, offset+skip, encrlen);
                     
                     if (!ssl->private_key) {
                         ssl_debug_printf("dissect_ssl3_handshake can't find private key\n");