Check SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER before touching wpend_buf.
SSL_write has messy semantics around retries. As a sanity-check, it does pointer and length checks and requires the original and retry SSL_write pass the same buffer pointer. In some cases, buffer addresses may change but still include the original data as a prefix on the retry. Callers then set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER to skip the pointer check. But, in that case, the pointer may have been freed so doing a comparison is undefined behavior. Short-circuiting the pointer equality check avoids this problem. Change-Id: I76cb8f7d45533504cd95287bc53897ca636af51d Reviewed-on: https://boringssl-review.googlesource.com/11760 CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
This commit is contained in:
parent
35c8afd314
commit
c6722cd6e0
@ -245,8 +245,8 @@ int ssl3_write_bytes(SSL *ssl, int type, const void *buf_, int len) {
|
|||||||
static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf,
|
static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf,
|
||||||
unsigned int len) {
|
unsigned int len) {
|
||||||
if (ssl->s3->wpend_tot > (int)len ||
|
if (ssl->s3->wpend_tot > (int)len ||
|
||||||
(ssl->s3->wpend_buf != buf &&
|
(!(ssl->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) &&
|
||||||
!(ssl->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) ||
|
ssl->s3->wpend_buf != buf) ||
|
||||||
ssl->s3->wpend_type != type) {
|
ssl->s3->wpend_type != type) {
|
||||||
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_WRITE_RETRY);
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_WRITE_RETRY);
|
||||||
return -1;
|
return -1;
|
||||||
|
Loading…
Reference in New Issue
Block a user