Fix potential NULL dereference on bad usage
This commit is contained in:
parent
ce60fbeb30
commit
a2fce21ae5
2 changed files with 46 additions and 28 deletions
|
@ -27,6 +27,9 @@ Features
|
|||
errors on use of deprecated functions.
|
||||
|
||||
Bugfix
|
||||
* Fix potential NULL pointer dereference (not trigerrable remotely) when
|
||||
ssl_write() is called before the handshake is finished (introduced in
|
||||
1.3.10) (first reported by Martin Blumenstingl).
|
||||
* Fix bug in pk_parse_key() that caused some valid private EC keys to be
|
||||
rejected.
|
||||
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
|
||||
|
|
|
@ -4754,37 +4754,16 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
|
|||
}
|
||||
|
||||
/*
|
||||
* Send application data to be encrypted by the SSL layer
|
||||
* Send application data to be encrypted by the SSL layer,
|
||||
* taking care of max fragment length and buffer size
|
||||
*/
|
||||
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||
static int ssl_write_real( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||
#else
|
||||
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||
#endif
|
||||
static int ssl_write_real( ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len )
|
||||
{
|
||||
int ret;
|
||||
size_t n;
|
||||
unsigned int max_len = SSL_MAX_CONTENT_LEN;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> write" ) );
|
||||
|
||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||
if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
|
||||
{
|
||||
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
|
||||
return( ret );
|
||||
}
|
||||
#endif
|
||||
|
||||
if( ssl->state != SSL_HANDSHAKE_OVER )
|
||||
{
|
||||
if( ( ret = ssl_handshake( ssl ) ) != 0 )
|
||||
{
|
||||
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
|
||||
return( ret );
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
||||
/*
|
||||
* Assume mfl_code is correct since it was checked when set
|
||||
|
@ -4824,8 +4803,6 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
|||
}
|
||||
}
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "<= write" ) );
|
||||
|
||||
return( (int) n );
|
||||
}
|
||||
|
||||
|
@ -4837,7 +4814,8 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
|||
* remember wether we already did the split or not.
|
||||
*/
|
||||
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||
static int ssl_write_split( ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len )
|
||||
{
|
||||
int ret;
|
||||
|
||||
|
@ -4865,6 +4843,43 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
|||
}
|
||||
#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
|
||||
|
||||
/*
|
||||
* Write application data (public-facing wrapper)
|
||||
*/
|
||||
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
|
||||
{
|
||||
int ret;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> write" ) );
|
||||
|
||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||
if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
|
||||
{
|
||||
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
|
||||
return( ret );
|
||||
}
|
||||
#endif
|
||||
|
||||
if( ssl->state != SSL_HANDSHAKE_OVER )
|
||||
{
|
||||
if( ( ret = ssl_handshake( ssl ) ) != 0 )
|
||||
{
|
||||
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
|
||||
return( ret );
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
|
||||
ret = ssl_write_split( ssl, buf, len );
|
||||
#else
|
||||
ret = ssl_write_real( ssl, buf, len );
|
||||
#endif
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "<= write" ) );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Notify the peer that the connection is being closed
|
||||
*/
|
||||
|
|
Loading…
Reference in a new issue