diff options
author | Matt Caswell <matt@openssl.org> | 2014-05-11 11:27:26 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-05-11 11:27:26 +0100 |
commit | 971a7c5ff751d95bf33117e95a6acf2cfc951537 (patch) | |
tree | 3e7a7e81a1240ccfa1b664e688137d1b39298a65 /ssl/s3_pkt.c | |
parent | c388d8b40cb9a3cb67401455509c1497a1a1fcb4 (diff) | |
download | openssl-971a7c5ff751d95bf33117e95a6acf2cfc951537.tar.gz |
Move length check earlier to ensure we don't go beyond the end of the user's buffer. PR#3320
Diffstat (limited to 'ssl/s3_pkt.c')
-rw-r--r-- | ssl/s3_pkt.c | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 41193bb7d1..ad9dc5154a 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -658,6 +658,21 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } } + /* ensure that if we end up with a smaller value of data to write + * out than the the original len from a write which didn't complete + * for non-blocking I/O and also somehow ended up avoiding + * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as + * it must never be possible to end up with (len-tot) as a large + * number that will then promptly send beyond the end of the users + * buffer ... so we trap and report the error in a way the user + * will notice + */ + if ( len < tot) + { + SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); + return(-1); + } + /* first check if there is a SSL3_BUFFER still being written * out. This will happen with non blocking IO */ if (wb->left != 0) @@ -816,20 +831,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) return tot; } - /* ensure that if we end up with a smaller value of data to write - * out than the the original len from a write which didn't complete - * for non-blocking I/O and also somehow ended up avoiding - * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as - * it must never be possible to end up with (len-tot) as a large - * number that will then promptly send beyond the end of the users - * buffer ... so we trap and report the error in a way the user - * will notice - */ - if ( len < tot) - { - SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); - return(-1); - } n=(len-tot); for (;;) |