safety check to ensure we dont send out beyond the users buffer
(Imported from upstream's 011ee91105f00cb2465110ce6431b11b51556d08 and
f2ebe2a60eacf3e348898175be82971b57d72327)
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index bac816f..c159e62 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -590,6 +590,21 @@
}
}
+ /* ensure that if we end up with a smaller value of data to write
+ * out than the the original len from a write which didn't complete
+ * for non-blocking I/O and also somehow ended up avoiding
+ * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+ * it must never be possible to end up with (len-tot) as a large
+ * number that will then promptly send beyond the end of the users
+ * buffer ... so we trap and report the error in a way the user
+ * will notice
+ */
+ if ( len < tot)
+ {
+ OPENSSL_PUT_ERROR(SSL, ssl3_write_bytes, SSL_R_BAD_LENGTH);
+ return(-1);
+ }
+
n=(len-tot);
for (;;)
{
