[openssl-dev] In ssl3_write_bytes, some checks related to hanlding write failure are missing

Mon Apr 3 09:09:51 UTC 2017

On 31/03/17 18:54, Raja ashok wrote:
> Hi All,
>
>
>
> In ssl3_write_bytes, if (len < tot) we are returning failure with
> SSL_R_BAD_LENGTH error. In this place I hope we should set “tot” back to
> “s->s3->wnum”. Otherwise when application calls back SSL_write with
> correct buffer, it causes serious problem (“tot” is 0 and iLeft is not
> NULL). I hope we should do like below.
>
>
>
>     if (len < tot) {
>
>         s->s3->wnum = tot;
>
>         SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
>
>        return (-1);
>
>     }

This is 1.0.2 code. The check appears to be earlier in master/1.1.0
(before wnum is reset) and so this isn't an issue there. Really, if an
application passes a bad len value, then this is an application bug and
shouldn't ever happen in a well-behaved application. I'm not sure you
could really describe this as an OpenSSL bug (its a bit border line) so
I'm not sure it justifies a patch to 1.0.2 (which only takes bug fixes).

>
> And also we should do one additional check for “len” as mentioned in my
> previous mail.
>
>
>
>     if ((len < tot) || ((tot != 0) && (len < (tot + s->s3->wpend_tot)))){
>
>         s->s3->wnum = tot;
>
>         SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
>
>        return (-1);
>
>     }

Please could you raise a github pull request for this suggestion? You
will probably need two versions: one targeting master and one targeting
1.0.2 as the the code looks a little different in this area.

Matt