diff options
author | nelsonb%netscape.com <devnull@localhost> | 2000-10-07 02:22:22 +0000 |
---|---|---|
committer | nelsonb%netscape.com <devnull@localhost> | 2000-10-07 02:22:22 +0000 |
commit | 0a8a8ab6fe59491c49484bccaff6ba2d610e310b (patch) | |
tree | 3f26da128e40e3e8ccea42726747a6523be0da56 | |
parent | d57a4a815cb474f8ab342795c1de5ad0870c04f9 (diff) | |
download | nss-hg-0a8a8ab6fe59491c49484bccaff6ba2d610e310b.tar.gz |
With this change, SSL will not crash if the next lower layer's Recv
function returns more data than we asked for. SSL will turn that event
into a PR_BUFFER_OVERFLOW_ERROR error. iWS team asked for this.
-rw-r--r-- | security/nss/lib/ssl/ssl3gthr.c | 8 | ||||
-rw-r--r-- | security/nss/lib/ssl/ssldef.c | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c index b3f05d83a..909850e94 100644 --- a/security/nss/lib/ssl/ssl3gthr.c +++ b/security/nss/lib/ssl/ssl3gthr.c @@ -99,6 +99,14 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags) break; } + PORT_Assert( nb <= gs->remainder ); + if (nb > gs->remainder) { + /* ssl_DefRecv is misbehaving! this error is fatal to SSL. */ + gs->state = GS_INIT; /* so we don't crash next time */ + rv = SECFailure; + break; + } + gs->offset += nb; gs->inbuf.len += nb; gs->remainder -= nb; diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c index 7f16c26b7..c91643ecc 100644 --- a/security/nss/lib/ssl/ssldef.c +++ b/security/nss/lib/ssl/ssldef.c @@ -90,6 +90,10 @@ int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags) if (rv < 0) { PRErrorCode err = PR_GetError(); MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR) + } else if (rv > len) { + PORT_Assert(rv <= len); + PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); + rv = SECFailure; } return rv; } |