On 31/03/17 18:54, Raja ashok wrote: > Hi All, > > > > In ssl3_write_bytes, if (len < tot) we are returning failure with > SSL_R_BAD_LENGTH error. In this place I hope we should set “tot” back to > “s->s3->wnum”. Otherwise when application calls back SSL_write with > correct buffer, it causes serious problem (“tot” is 0 and iLeft is not > NULL). I hope we should do like below. > > > > if (len < tot) { > > s->s3->wnum = tot; > > SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); > > return (-1); > > }
This is 1.0.2 code. The check appears to be earlier in master/1.1.0 (before wnum is reset) and so this isn't an issue there. Really, if an application passes a bad len value, then this is an application bug and shouldn't ever happen in a well-behaved application. I'm not sure you could really describe this as an OpenSSL bug (its a bit border line) so I'm not sure it justifies a patch to 1.0.2 (which only takes bug fixes). > > And also we should do one additional check for “len” as mentioned in my > previous mail. > > > > if ((len < tot) || ((tot != 0) && (len < (tot + s->s3->wpend_tot)))){ > > s->s3->wnum = tot; > > SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH); > > return (-1); > > } Please could you raise a github pull request for this suggestion? You will probably need two versions: one targeting master and one targeting 1.0.2 as the the code looks a little different in this area. Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev