Move length check earlier to ensure we don't go beyond the end of the user's buffer. PR#3320

971a7c5f · Matt Caswell · c388d8b4 · 971a7c5f
隐藏空白更改
内联并排

Showing with 15 addition and 14 deletion

ssl/s3_pkt.c ssl/s3_pkt.c +15 -14

未找到文件。
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -658,6 +658,21 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 			}
 		}

+	/* ensure that if we end up with a smaller value of data to write 
+	 * out than the the original len from a write which didn't complete 
+	 * for non-blocking I/O and also somehow ended up avoiding 
+	 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+	 * it must never be possible to end up with (len-tot) as a large
+	 * number that will then promptly send beyond the end of the users
+	 * buffer ... so we trap and report the error in a way the user
+	 * will notice
+	 */
+	if ( len < tot)
+		{
+		SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
+		return(-1);
+		}
+
 	/* first check if there is a SSL3_BUFFER still being written
 	 * out.  This will happen with non blocking IO */
 	if (wb->left != 0)
@@ -816,20 +831,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 		return tot;
 		}

-	/* ensure that if we end up with a smaller value of data to write 
-	 * out than the the original len from a write which didn't complete 
-	 * for non-blocking I/O and also somehow ended up avoiding 
-	 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
-	 * it must never be possible to end up with (len-tot) as a large
-	 * number that will then promptly send beyond the end of the users
-	 * buffer ... so we trap and report the error in a way the user
-	 * will notice
-	 */
-	if ( len < tot)
-		{
-		SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
-		return(-1);
-		}

 	n=(len-tot);
 	for (;;)