From: Bodo Möller <bodo@openssl.org>
Date: Mon, 18 Dec 2000 11:32:09 +0000 (+0000)
Subject: Fix another buffer overrun bug (which is not really a bug because
X-Git-Tag: OpenSSL_0_9_6a-beta1~103
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=7947f98b9b27a9fbd0d6c8a054ae354b9d333bfe;p=oweals%2Fopenssl.git

Fix another buffer overrun bug (which is not really a bug because
s->s2->escape is never set when sending data because the escape
bit is just reserved for future use in SSL 2.0)
---

diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
index e2499083e9..2866d61fa4 100644
--- a/ssl/s2_pkt.c
+++ b/ssl/s2_pkt.c
@@ -559,21 +559,35 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
 			}
 		else if ((bs <= 1) && (!s->s2->escape))
 			{
-			/* len=len; */
+			/* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
+			 * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
 			s->s2->three_byte_header=0;
 			p=0;
 			}
 		else /* we may have to use a 3 byte header */
 			{
-			/*len=len; */
+			/* If s->s2->escape is not set, then
+			 * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
+			 * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
 			p=(j%bs);
 			p=(p == 0)?0:(bs-p);
 			if (s->s2->escape)
+				{
 				s->s2->three_byte_header=1;
+				if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
+					j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
+				}
 			else
 				s->s2->three_byte_header=(p == 0)?0:1;
 			}
 		}
+
+	/* Now
+	 *      j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
+	 * holds, and if s->s2->three_byte_header is set, then even
+	 *      j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
+	 */
+
 	/* mac_size is the number of MAC bytes
 	 * len is the number of data bytes we are going to send
 	 * p is the number of padding bytes