diff options
| author | Tim Hudson <tjh@cryptsoft.com> | 2014-05-11 13:29:59 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2014-05-11 13:29:59 +0100 |
| commit | 4d8cca8a7ecac547d07042f921469681cc869ed6 (patch) | |
| tree | 083fe671c5b22e654e684244a787360c010ea9d7 /ssl/s3_pkt.c | |
| parent | d61be85581c372aee8c22510be0d9f86ed88d51a (diff) | |
safety check to ensure we dont send out beyond the users buffer
Diffstat (limited to 'ssl/s3_pkt.c')
| -rw-r--r-- | ssl/s3_pkt.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 8deeab3c9f..40eb0dd347 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -598,6 +598,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } } + /* ensure that if we end up with a smaller value of data to write + * out than the the original len from a write which didn't complete + * for non-blocking I/O and also somehow ended up avoiding + * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as + * it must never be possible to end up with (len-tot) as a large + * number that will then promptly send beyond the end of the users + * buffer ... so we trap and report the error in a way the user + * will notice + */ + if ( len < tot) + { + SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); + return(-1); + } + + n=(len-tot); for (;;) { |