Hi

While going through code of `tls_read` listed below. It looks like to me
that
there is possibility of returning 0 on error when following code-flow takes
place

1)
if tls_handshake(ctx) returns 0, Now rv is 0. It goes to
 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
                if ((rv = tls_handshake(ctx)) != 0)
                        goto out;
        }

2)
Now, if buflen > INT_MAX, then, it exit via `goto out` where rv will be
0(set by step 1)
 if (buflen > INT_MAX) {
                tls_set_errorx(ctx, "buflen too long");
                goto out;
        }


The fix is not to assign to `rv` when handshaking. The same logic applies
to `tls_write` as well.
Attach patch for your perusal, please feel to free to ignore if it was done
intentionally

ssize_t
tls_read(struct tls *ctx, void *buf, size_t buflen)
{
        ssize_t rv = -1;
        int ssl_ret;

        tls_error_clear(&ctx->error);

        if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
                if ((rv = tls_handshake(ctx)) != 0)
                        goto out;
        }

        if (buflen > INT_MAX) {
                tls_set_errorx(ctx, "buflen too long");
                goto out;
        }

        ERR_clear_error();
        if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
                rv = (ssize_t)ssl_ret;
                goto out;
        }
        rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");

 out:
        /* Prevent callers from performing incorrect error handling */
        errno = 0;
        return (rv);
}






-- 
Warm Regards
--Dev
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 8f2c7dd..0533082 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -707,7 +707,7 @@ tls_read(struct tls *ctx, void *buf, size_t buflen)
 	tls_error_clear(&ctx->error);
 
 	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
-		if ((rv = tls_handshake(ctx)) != 0)
+		if (tls_handshake(ctx) != 0)
 			goto out;
 	}
 
@@ -738,7 +738,7 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen)
 	tls_error_clear(&ctx->error);
 
 	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
-		if ((rv = tls_handshake(ctx)) != 0)
+		if (tls_handshake(ctx) != 0)
 			goto out;
 	}
 

Reply via email to