Fix another buffer overrun bug (which is not really a bug because
s->s2->escape is never set when sending data because the escape bit is just reserved for future use in SSL 2.0)
This commit is contained in:
Bodo Möller
parent
fc4868cb47
commit
7947f98b9b
1 changed files with 16 additions and 2 deletions
18
ssl/s2_pkt.c
18
ssl/s2_pkt.c
|
|
@ -559,21 +559,35 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
|
|||
}
|
||||
else if ((bs <= 1) && (!s->s2->escape))
|
||||
{
|
||||
/* len=len; */
|
||||
/* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
|
||||
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
|
||||
s->s2->three_byte_header=0;
|
||||
p=0;
|
||||
}
|
||||
else /* we may have to use a 3 byte header */
|
||||
{
|
||||
/*len=len; */
|
||||
/* If s->s2->escape is not set, then
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
|
||||
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
|
||||
p=(j%bs);
|
||||
p=(p == 0)?0:(bs-p);
|
||||
if (s->s2->escape)
|
||||
{
|
||||
s->s2->three_byte_header=1;
|
||||
if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
|
||||
j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
|
||||
}
|
||||
else
|
||||
s->s2->three_byte_header=(p == 0)?0:1;
|
||||
}
|
||||
}
|
||||
|
||||
/* Now
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
|
||||
* holds, and if s->s2->three_byte_header is set, then even
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
|
||||
*/
|
||||
|
||||
/* mac_size is the number of MAC bytes
|
||||
* len is the number of data bytes we are going to send
|
||||
* p is the number of padding bytes
|
||||
|
|
|
|||
Loading…
Reference in a new issue