safety check to ensure we dont send out beyond the users buffer

author: Tim Hudson <tjh@cryptsoft.com> 2014-04-27 01:55:47 +1000
committer: Matt Caswell <matt@openssl.org> 2014-05-11 11:21:30 +0100
commit: c388d8b40cb9a3cb67401455509c1497a1a1fcb4 (patch)
tree: ef30cf77af390c660ac778db8123ed2bc299b299 /ssl/s3_pkt.c
parent: c4afc40a9b6ca3481642e1bc58164108ee700445 (diff)
download: openssl-c388d8b40cb9a3cb67401455509c1497a1a1fcb4.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index d601a18171..41193bb7d1 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -816,6 +816,21 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 		return tot;
 		}
 
+	/* ensure that if we end up with a smaller value of data to write 
+	 * out than the the original len from a write which didn't complete 
+	 * for non-blocking I/O and also somehow ended up avoiding 
+	 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+	 * it must never be possible to end up with (len-tot) as a large
+	 * number that will then promptly send beyond the end of the users
+	 * buffer ... so we trap and report the error in a way the user
+	 * will notice
+	 */
+	if ( len < tot)
+		{
+		SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
+		return(-1);
+		}
+
 	n=(len-tot);
 	for (;;)
 		{
author	Tim Hudson <tjh@cryptsoft.com>	2014-04-27 01:55:47 +1000
committer	Matt Caswell <matt@openssl.org>	2014-05-11 11:21:30 +0100
commit	c388d8b40cb9a3cb67401455509c1497a1a1fcb4 (patch)
tree	ef30cf77af390c660ac778db8123ed2bc299b299 /ssl/s3_pkt.c
parent	c4afc40a9b6ca3481642e1bc58164108ee700445 (diff)
download	openssl-c388d8b40cb9a3cb67401455509c1497a1a1fcb4.tar.gz