[openssl-dev] In ssl3_write_bytes, some checks related to hanlding write failure are missing
Matt Caswell
matt at openssl.org
Mon Apr 3 09:09:51 UTC 2017
On 31/03/17 18:54, Raja ashok wrote:
> Hi All,
>
>
>
> In ssl3_write_bytes, if (len < tot) we are returning failure with
> SSL_R_BAD_LENGTH error. In this place I hope we should set “tot” back to
> “s->s3->wnum”. Otherwise when application calls back SSL_write with
> correct buffer, it causes serious problem (“tot” is 0 and iLeft is not
> NULL). I hope we should do like below.
>
>
>
> if (len < tot) {
>
> s->s3->wnum = tot;
>
> SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
>
> return (-1);
>
> }
This is 1.0.2 code. The check appears to be earlier in master/1.1.0
(before wnum is reset) and so this isn't an issue there. Really, if an
application passes a bad len value, then this is an application bug and
shouldn't ever happen in a well-behaved application. I'm not sure you
could really describe this as an OpenSSL bug (its a bit border line) so
I'm not sure it justifies a patch to 1.0.2 (which only takes bug fixes).
>
> And also we should do one additional check for “len” as mentioned in my
> previous mail.
>
>
>
> if ((len < tot) || ((tot != 0) && (len < (tot + s->s3->wpend_tot)))){
>
> s->s3->wnum = tot;
>
> SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
>
> return (-1);
>
> }
Please could you raise a github pull request for this suggestion? You
will probably need two versions: one targeting master and one targeting
1.0.2 as the the code looks a little different in this area.
Matt
More information about the openssl-dev
mailing list