There is only one read buffer
authorMatt Caswell <matt@openssl.org>
Tue, 26 Apr 2016 15:00:09 +0000 (16:00 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 17 May 2016 15:37:45 +0000 (16:37 +0100)
Pipelining introduced the concept of multiple records being read in one
go. Therefore we work with an array of SSL3_RECORD objects. The pipelining
change erroneously made a change in ssl3_get_record() to apply the current
record offset to the SSL3_BUFFER we are using for reading. This is wrong -
there is only ever one read buffer. This reverts that change. In practice
this should make little difference because the code block in question is
only ever used when we are processing a single record.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
ssl/record/ssl3_record.c

index 3c285726c1574a7c68b7bcc1d1dd8410a679c644..766c3af5523da9142e9d97d65e76742a12a64afe 100644 (file)
@@ -276,7 +276,7 @@ int ssl3_get_record(SSL *s)
 
                 rr[num_recs].length = ((p[0] & 0x7f) << 8) | p[1];
 
-                if (rr[num_recs].length > SSL3_BUFFER_get_len(&rbuf[num_recs])
+                if (rr[num_recs].length > SSL3_BUFFER_get_len(rbuf)
                                  - SSL2_RT_HEADER_LENGTH) {
                     al = SSL_AD_RECORD_OVERFLOW;
                     SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_PACKET_LENGTH_TOO_LONG);