From 75862f7741d52651eefc2ae71e81a0d0e9d4c5ec Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 28 Apr 2015 15:19:50 +0100 Subject: [PATCH] Sanity check the return from final_finish_mac The return value is checked for 0. This is currently safe but we should really check for <= 0 since -1 is frequently used for error conditions. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit c427570e5098e120cbcb66e799f85c317aac7b91) Conflicts: ssl/ssl_locl.h --- ssl/s3_both.c | 2 +- ssl/ssl_locl.h | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/ssl/s3_both.c b/ssl/s3_both.c index c92fd721e2..019e21cd02 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -168,7 +168,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); - if (i == 0) + if (i <= 0) return 0; s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 79b85b9ed9..fb65fed8c8 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1230,7 +1230,6 @@ int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); int dtls1_send_change_cipher_spec(SSL *s, int a, int b); -int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); int dtls1_read_failed(SSL *s, int code); int dtls1_buffer_message(SSL *s, int ccs); int dtls1_retransmit_message(SSL *s, unsigned short seq, -- 2.25.1