提交 971a7c5f 编写于 作者: M Matt Caswell

Move length check earlier to ensure we don't go beyond the end of the user's buffer. PR#3320

上级 c388d8b4
......@@ -658,6 +658,21 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
}
}
/* ensure that if we end up with a smaller value of data to write
* out than the the original len from a write which didn't complete
* for non-blocking I/O and also somehow ended up avoiding
* the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
* it must never be possible to end up with (len-tot) as a large
* number that will then promptly send beyond the end of the users
* buffer ... so we trap and report the error in a way the user
* will notice
*/
if ( len < tot)
{
SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
return(-1);
}
/* first check if there is a SSL3_BUFFER still being written
* out. This will happen with non blocking IO */
if (wb->left != 0)
......@@ -816,20 +831,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
return tot;
}
/* ensure that if we end up with a smaller value of data to write
* out than the the original len from a write which didn't complete
* for non-blocking I/O and also somehow ended up avoiding
* the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
* it must never be possible to end up with (len-tot) as a large
* number that will then promptly send beyond the end of the users
* buffer ... so we trap and report the error in a way the user
* will notice
*/
if ( len < tot)
{
SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
return(-1);
}
n=(len-tot);
for (;;)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册