diff options
| author | marha <marha@users.sourceforge.net> | 2015-06-15 20:18:50 +0200 |
|---|---|---|
| committer | Mike DePaulo <mikedep333@gmail.com> | 2015-06-22 01:16:46 -0400 |
| commit | 36da4a2e0e43928a29ac2ee5c55bf681e90e2f42 (patch) | |
| tree | 92633e1022d705c72d0f97315891e719648dd17e /openssl/ssl/s2_pkt.c | |
| parent | bec4be4c48239613ed1c704ae71bf08754eef711 (diff) | |
| download | vcxsrv-36da4a2e0e43928a29ac2ee5c55bf681e90e2f42.tar.gz vcxsrv-36da4a2e0e43928a29ac2ee5c55bf681e90e2f42.tar.bz2 vcxsrv-36da4a2e0e43928a29ac2ee5c55bf681e90e2f42.zip | |
Update to openssl-1.0.2crelease/external-1.17.0.0-x
Diffstat (limited to 'openssl/ssl/s2_pkt.c')
| -rw-r--r-- | openssl/ssl/s2_pkt.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/openssl/ssl/s2_pkt.c b/openssl/ssl/s2_pkt.c index 614b9a35d..7a6188813 100644 --- a/openssl/ssl/s2_pkt.c +++ b/openssl/ssl/s2_pkt.c @@ -576,6 +576,20 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) s->s2->padding = p; s->s2->mac_data = &(s->s2->wbuf[3]); s->s2->wact_data = &(s->s2->wbuf[3 + mac_size]); + + /* + * It would be clearer to write this as follows: + * if (mac_size + len + p > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) + * However |len| is user input that could in theory be very large. We + * know |mac_size| and |p| are small, so to avoid any possibility of + * overflow we write it like this. + * + * In theory this should never fail because the logic above should have + * modified |len| if it is too big. But we are being cautious. + */ + if (len > (SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER - (mac_size + p))) { + return -1; + } /* we copy the data into s->s2->wbuf */ memcpy(s->s2->wact_data, buf, len); if (p) |