From 9611cfcb9fcf120a6c70fd6b23b296f8ca20279f Mon Sep 17 00:00:00 2001
From: Adam Langley <agl@chromium.org>
Date: Fri, 20 Jun 2014 12:00:00 -0700
Subject: [PATCH] safety check to ensure we dont send out beyond the users
 buffer

(Imported from upstream's 011ee91105f00cb2465110ce6431b11b51556d08 and
f2ebe2a60eacf3e348898175be82971b57d72327)
---
 ssl/s3_pkt.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index bac816f8..c159e62d 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -590,6 +590,21 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 			}
 		}
 
+	/* ensure that if we end up with a smaller value of data to write 
+	 * out than the the original len from a write which didn't complete 
+	 * for non-blocking I/O and also somehow ended up avoiding 
+	 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+	 * it must never be possible to end up with (len-tot) as a large
+	 * number that will then promptly send beyond the end of the users
+	 * buffer ... so we trap and report the error in a way the user
+	 * will notice
+	 */
+	if ( len < tot)
+		{
+		OPENSSL_PUT_ERROR(SSL, ssl3_write_bytes, SSL_R_BAD_LENGTH);
+		return(-1);
+		}
+
 	n=(len-tot);
 	for (;;)
 		{