wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix another buffer overrun bug (which is not really a bug because

Browse source 
s->s2->escape is never set when sending data because the escape
bit is just reserved for future use in SSL 2.0)
This commit is contained in:
Bodo Möller 2000-12-18 11:32:09 +00:00
parent fc4868cb47
commit 7947f98b9b
1 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
ssl/s2_pkt.c
View file

@ -559,21 +559,35 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
} }
else if ((bs <= 1) && (!s->s2->escape)) else if ((bs <= 1) && (!s->s2->escape))
{ {
/* len=len; */ /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
s->s2->three_byte_header=0; s->s2->three_byte_header=0;
p=0; p=0;
} }
else /* we may have to use a 3 byte header */ else /* we may have to use a 3 byte header */
{ {
/*len=len; */ /* If s->s2->escape is not set, then
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
p=(j%bs); p=(j%bs);
p=(p == 0)?0:(bs-p); p=(p == 0)?0:(bs-p);
if (s->s2->escape) if (s->s2->escape)
{
s->s2->three_byte_header=1; s->s2->three_byte_header=1;
if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
}
else else
s->s2->three_byte_header=(p == 0)?0:1; s->s2->three_byte_header=(p == 0)?0:1;
} }
} }
/* Now
* j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
* holds, and if s->s2->three_byte_header is set, then even
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
*/
/* mac_size is the number of MAC bytes /* mac_size is the number of MAC bytes
* len is the number of data bytes we are going to send * len is the number of data bytes we are going to send
* p is the number of padding bytes * p is the number of padding bytes