safety check to ensure we dont send out beyond the users buffer

author Tim Hudson <tjh@cryptsoft.com>

Sun, 11 May 2014 12:29:59 +0000 (13:29 +0100)

committer Matt Caswell <matt@openssl.org>

Sun, 11 May 2014 12:29:59 +0000 (13:29 +0100)
author Tim Hudson <tjh@cryptsoft.com>
Sun, 11 May 2014 12:29:59 +0000 (13:29 +0100)
committer Matt Caswell <matt@openssl.org>
Sun, 11 May 2014 12:29:59 +0000 (13:29 +0100)
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c

index 8deeab3c9fbfba52aa338f3130cd82ccdb0eeec5..40eb0dd347cc3babf2d2aee49a06b5d148c3b1a2 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -598,6 +598,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                         }
                 }
  
+       /* ensure that if we end up with a smaller value of data to write 
+        * out than the the original len from a write which didn't complete 
+        * for non-blocking I/O and also somehow ended up avoiding 
+        * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+        * it must never be possible to end up with (len-tot) as a large
+        * number that will then promptly send beyond the end of the users
+        * buffer ... so we trap and report the error in a way the user
+        * will notice
+        */
+       if ( len < tot)
+               {
+               SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
+               return(-1);
+               }
+
+
         n=(len-tot);
         for (;;)
                 {
author	Tim Hudson <tjh@cryptsoft.com>
	Sun, 11 May 2014 12:29:59 +0000 (13:29 +0100)
committer	Matt Caswell <matt@openssl.org>
	Sun, 11 May 2014 12:29:59 +0000 (13:29 +0100)