diff options
author | Wan-Teh Chang <wtc@google.com> | 2014-01-16 15:33:26 -0800 |
---|---|---|
committer | Wan-Teh Chang <wtc@google.com> | 2014-01-16 15:33:26 -0800 |
commit | d0637df10b3b9b5fba97ac7eb086663a4ec15a38 (patch) | |
tree | 4870c8aee50b2efb2e8cd5aaa833f7404110df18 | |
parent | 47efb4c907cdf35d4f40f0dc6e646c70a0da5942 (diff) | |
download | nss-hg-d0637df10b3b9b5fba97ac7eb086663a4ec15a38.tar.gz |
Bug 949060: Validate the 'iov' and 'vectors' input arguments of ssl_WriteV.
r=chris.newman.
-rw-r--r-- | lib/ssl/sslsock.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c index 15344b877..c5aca21e2 100644 --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -2397,6 +2397,7 @@ static PRInt32 PR_CALLBACK ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, PRIntervalTime timeout) { + PRInt32 i; PRInt32 bufLen; PRInt32 left; PRInt32 rv; @@ -2407,10 +2408,20 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, PRIOVec myIov = { 0, 0 }; char buf[MAX_FRAGMENT_LENGTH]; + if (vectors < 0) { + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return -1; + } if (vectors > PR_MAX_IOVECTOR_SIZE) { PORT_SetError(PR_BUFFER_OVERFLOW_ERROR); return -1; } + for (i = 0; i < vectors; i++) { + if (iov[i].iov_len < 0) { + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return -1; + } + } blocking = ssl_FdIsBlocking(fd); #define K16 sizeof(buf) |