Corrected a broken buffer check in _gnutls_io_read_buffered()

2 files changed, 11 insertions, 3 deletions

diff --git a/NEWS b/NEWS
index 2ab1acc321..3659d4889e 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ Version 0.9.1
   serial number calculation in the record layer.
 - Added gnutls_certificate_free_keys() which deletes all the
   private keys and certificates from the credentials structure.
+- Corrected a broken buffer check in _gnutls_io_read_buffered()
 
 Version 0.9.0 (03/03/2003)
 - This version is not binary compatible with the previous ones.
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index 571e2f9803..e72ad00db4 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -330,8 +330,7 @@ ssize_t _gnutls_io_read_buffered( gnutls_session session, opaque **iptr, size_t
 
 	*iptr = session->internals.record_recv_buffer.data;
 
-	if ( sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0 
- 	   || (session->internals.record_recv_buffer.length+sizeOfPtr) > MAX_RECV_SIZE) 
+	if ( sizeOfPtr > MAX_RECV_SIZE || sizeOfPtr == 0) { 
 	{
 		gnutls_assert(); /* internal error */
 		return GNUTLS_E_INVALID_REQUEST;
@@ -363,10 +362,18 @@ ssize_t _gnutls_io_read_buffered( gnutls_session session, opaque **iptr, size_t
 	 * receive in order to return the requested data.
 	 */
 	recvdata = sizeOfPtr - min;
+
+	/* Check if the previously read data plus the new data to
+	 * receive are longer than the maximum receive buffer size.
+	 */
+ 	if ((session->internals.record_recv_buffer.length + recvdata) > MAX_RECV_SIZE) 
+	{
+		gnutls_assert(); /* internal error */
+		return GNUTLS_E_INVALID_REQUEST;
+	}
 	
 	/* Allocate the data required to store the new packet.
 	 */
-	 
 	alloc_size = recvdata+session->internals.record_recv_buffer.length;
 	session->internals.record_recv_buffer.data = gnutls_realloc_fast(
 		session->internals.record_recv_buffer.data, alloc_size);