With this change, SSL will not crash if the next lower layer's Recv

function returns more data than we asked for.  SSL will turn that event
into a PR_BUFFER_OVERFLOW_ERROR error.  iWS team asked for this.

2 files changed, 12 insertions, 0 deletions

diff --git a/security/nss/lib/ssl/ssl3gthr.c b/security/nss/lib/ssl/ssl3gthr.c
index b3f05d83a..909850e94 100644
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -99,6 +99,14 @@ ssl3_GatherData(sslSocket *ss, sslGather *gs, int flags)
 	    break;
 	}
 
+	PORT_Assert( nb <= gs->remainder );
+	if (nb > gs->remainder) {
+	    /* ssl_DefRecv is misbehaving!  this error is fatal to SSL. */
+	    gs->state = GS_INIT;         /* so we don't crash next time */
+	    rv = SECFailure;
+	    break;
+	}
+
 	gs->offset    += nb;
 	gs->inbuf.len += nb;
 	gs->remainder -= nb;
diff --git a/security/nss/lib/ssl/ssldef.c b/security/nss/lib/ssl/ssldef.c
index 7f16c26b7..c91643ecc 100644
--- a/security/nss/lib/ssl/ssldef.c
+++ b/security/nss/lib/ssl/ssldef.c
@@ -90,6 +90,10 @@ int ssl_DefRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
     if (rv < 0) {
 	PRErrorCode err = PR_GetError();
 	MAP_ERROR(PR_SOCKET_SHUTDOWN_ERROR, PR_CONNECT_RESET_ERROR)
+    } else if (rv > len) {
+	PORT_Assert(rv <= len);
+	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
+	rv = SECFailure;
     }
     return rv;
 }