The function BIO_ctrl can return a negative integer in an error case. A few lines below, a call to a similar function, BIO_flush, is checked as though both negative and zero error values are possible.
The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @match@ expression x, E; position p1,p2,p3; constant C; @@ ( break; // parsing problem, show that this is a statement disjunction | (x = BIO_ctrl(...)) <= \(0\|-C\) | (x = BIO_ctrl(...)) < \(0\|-C\) | (x = BIO_ctrl(...)) > 0 | (x = BIO_ctrl(...)) == -C | x...@p1 = BIO_ctrl(...) <... when != x <= \(0\|-C\) when != x < \(0\|-C\) when != x > 0 when != x == -C ( (x...@p3 != 0 || ...) // ensure it is a test expression | x...@p3 == 0 ) ...> ( return ...; | x...@p2++ | x...@p2-- | x...@p2 += E | x...@p2 -= E | x...@p2 = E ) ) @script:python@ p1 << match.p1; p3 << match.p3; @@ cocci.print_main("BIO_ctrl",p1) cocci.print_secs("test",p3) cocci.include_match(False) // </smpl> --- diff -u -p a/ssl/s2_srvr.c b/ssl/s2_srvr.c --- a/ssl/s2_srvr.c 2009-01-08 00:44:26.000000000 +0100 +++ b/ssl/s2_srvr.c 2009-09-22 16:05:49.000000000 +0200 @@ -267,7 +267,7 @@ int ssl2_accept(SSL *s) case SSL2_ST_SEND_SERVER_VERIFY_C: /* get the number of bytes to write */ num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); - if (num1 != 0) + if (num1 > 0) { s->rwstate=SSL_WRITING; num1=BIO_flush(s->wbio); ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
