Constrain bytes read/written to positive values.

ok miod@ tedu@

diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c
index 4a8462e..a5ed3c0 100644 (file)
--- a/lib/libssl/s3_pkt.c
+++ b/lib/libssl/s3_pkt.c
@@ -561,6 +561,11 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
        unsigned int tot, n, nw;
        int i;
 
+       if (len < 0) {
+               SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR);
+               return -1;
+       }
+
        s->rwstate = SSL_NOTHING;
        tot = s->s3->wnum;
        s->s3->wnum = 0;
@@ -902,6 +907,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                if (!ssl3_setup_read_buffer(s))
                        return (-1);
 
+       if (len < 0) {
+               SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+               return -1;
+       }
+
        if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
            (type != SSL3_RT_HANDSHAKE) && type) ||
            (peek && (type != SSL3_RT_APPLICATION_DATA))) {

diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c
index 4a8462e..a5ed3c0 100644 (file)
--- a/lib/libssl/src/ssl/s3_pkt.c
+++ b/lib/libssl/src/ssl/s3_pkt.c
@@ -561,6 +561,11 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
        unsigned int tot, n, nw;
        int i;
 
+       if (len < 0) {
+               SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR);
+               return -1;
+       }
+
        s->rwstate = SSL_NOTHING;
        tot = s->s3->wnum;
        s->s3->wnum = 0;
@@ -902,6 +907,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                if (!ssl3_setup_read_buffer(s))
                        return (-1);
 
+       if (len < 0) {
+               SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+               return -1;
+       }
+
        if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
            (type != SSL3_RT_HANDSHAKE) && type) ||
            (peek && (type != SSL3_RT_APPLICATION_DATA))) {