From: Tim Hudson Date: Sat, 26 Apr 2014 15:55:47 +0000 (+1000) Subject: safety check to ensure we dont send out beyond the users buffer X-Git-Tag: master-post-reformat~823 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c388d8b40cb9a3cb67401455509c1497a1a1fcb4;p=oweals%2Fopenssl.git safety check to ensure we dont send out beyond the users buffer --- diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index d601a18171..41193bb7d1 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -816,6 +816,21 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) return tot; } + /* ensure that if we end up with a smaller value of data to write + * out than the the original len from a write which didn't complete + * for non-blocking I/O and also somehow ended up avoiding + * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as + * it must never be possible to end up with (len-tot) as a large + * number that will then promptly send beyond the end of the users + * buffer ... so we trap and report the error in a way the user + * will notice + */ + if ( len < tot) + { + SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); + return(-1); + } + n=(len-tot); for (;;) {