From ea629ce4d8aaadcf891a7991fbe0869f7fa87f01 Mon Sep 17 00:00:00 2001 From: beck Date: Tue, 29 Apr 2014 15:46:54 +0000 Subject: [PATCH] Constrain bytes read/written to positive values. ok miod@ tedu@ --- lib/libssl/s3_pkt.c | 10 ++++++++++ lib/libssl/src/ssl/s3_pkt.c | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/lib/libssl/s3_pkt.c b/lib/libssl/s3_pkt.c index 4a8462ecb91..a5ed3c07cc6 100644 --- a/lib/libssl/s3_pkt.c +++ b/lib/libssl/s3_pkt.c @@ -561,6 +561,11 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) unsigned int tot, n, nw; int i; + if (len < 0) { + SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + return -1; + } + s->rwstate = SSL_NOTHING; tot = s->s3->wnum; s->s3->wnum = 0; @@ -902,6 +907,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (!ssl3_setup_read_buffer(s)) return (-1); + if (len < 0) { + SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); + return -1; + } + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c index 4a8462ecb91..a5ed3c07cc6 100644 --- a/lib/libssl/src/ssl/s3_pkt.c +++ b/lib/libssl/src/ssl/s3_pkt.c @@ -561,6 +561,11 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) unsigned int tot, n, nw; int i; + if (len < 0) { + SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_INTERNAL_ERROR); + return -1; + } + s->rwstate = SSL_NOTHING; tot = s->s3->wnum; s->s3->wnum = 0; @@ -902,6 +907,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (!ssl3_setup_read_buffer(s)) return (-1); + if (len < 0) { + SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); + return -1; + } + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { -- 2.20.1