diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
index 656fde2f021..d5701d6bd6b 100644
--- a/mozilla/security/nss/lib/ssl/ssl3ext.c
+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
@@ -41,7 +41,7 @@
  * ***** END LICENSE BLOCK ***** */
 
 /* TLS extension code moved here from ssl3ecc.c */
-/* $Id: ssl3ext.c,v 1.21 2012-02-15 21:52:08 kaie%kuix.de Exp $ */
+/* $Id: ssl3ext.c,v 1.22 2012-03-12 19:14:12 wtc%google.com Exp $ */
 
 #include "nssrenam.h"
 #include "nss.h"
@@ -592,10 +592,7 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
     unsigned char resultBuffer[255];
     SECItem result = { siBuffer, resultBuffer, 0 };
 
-    if (ss->firstHsDone) {
-	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	return SECFailure;
-    }
+    PORT_Assert(!ss->firstHsDone);
 
     rv = ssl3_ValidateNextProtoNego(data->data, data->len);
     if (rv != SECSuccess)
@@ -607,6 +604,8 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
      */
     PORT_Assert(ss->nextProtoCallback != NULL);
     if (!ss->nextProtoCallback) {
+	/* XXX Use a better error code. This is an application error, not an
+	 * NSS bug. */
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
@@ -617,7 +616,7 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
 	return rv;
     /* If the callback wrote more than allowed to |result| it has corrupted our
      * stack. */
-    if (result.len > sizeof result) {
+    if (result.len > sizeof resultBuffer) {
 	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 	return SECFailure;
     }
diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
index dcfd39286c2..c9289fff4dc 100644
--- a/mozilla/security/nss/lib/ssl/sslsock.c
+++ b/mozilla/security/nss/lib/ssl/sslsock.c
@@ -40,7 +40,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.83 2012-03-11 04:32:35 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.84 2012-03-12 19:14:12 wtc%google.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
@@ -1382,7 +1382,7 @@ SSL_SetNextProtoCallback(PRFileDesc *fd, SSLNextProtoCallback callback,
     return SECSuccess;
 }
 
-/* NextProtoStandardCallback is set as an NPN callback for the case when
+/* ssl_NextProtoNegoCallback is set as an NPN callback for the case when
  * SSL_SetNextProtoNego is used.
  */
 static SECStatus
@@ -1428,12 +1428,12 @@ pick_first:
     result = ss->opt.nextProtoNego.data;
 
 found:
-    *protoOutLen = result[0];
     if (protoMaxLen < result[0]) {
 	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 	return SECFailure;
     }
     memcpy(protoOut, result + 1, result[0]);
+    *protoOutLen = result[0];
     return SECSuccess;
 }
 
@@ -1487,13 +1487,12 @@ SSL_GetNextProto(PRFileDesc *fd, SSLNextProtoState *state, unsigned char *buf,
 
     if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
 	ss->ssl3.nextProto.data) {
-	*bufLen = ss->ssl3.nextProto.len;
-	if (*bufLen > bufLenMax) {
+	if (ss->ssl3.nextProto.len > bufLenMax) {
 	    PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-	    *bufLen = 0;
 	    return SECFailure;
 	}
 	PORT_Memcpy(buf, ss->ssl3.nextProto.data, ss->ssl3.nextProto.len);
+	*bufLen = ss->ssl3.nextProto.len;
     } else {
 	*bufLen = 0;
     }