Bug 949060: Validate the 'iov' and 'vectors' input arguments of ssl_WriteV.

r=chris.newman.
author: Wan-Teh Chang <wtc@google.com> 2014-01-16 15:33:26 -0800
committer: Wan-Teh Chang <wtc@google.com> 2014-01-16 15:33:26 -0800
commit: d0637df10b3b9b5fba97ac7eb086663a4ec15a38 (patch)
tree: 4870c8aee50b2efb2e8cd5aaa833f7404110df18
parent: 47efb4c907cdf35d4f40f0dc6e646c70a0da5942 (diff)
download: nss-hg-d0637df10b3b9b5fba97ac7eb086663a4ec15a38.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
index 15344b877..c5aca21e2 100644
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -2397,6 +2397,7 @@ static PRInt32 PR_CALLBACK
 ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors, 
            PRIntervalTime timeout)
 {
+    PRInt32            i;
     PRInt32            bufLen;
     PRInt32            left;
     PRInt32            rv;
@@ -2407,10 +2408,20 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
     PRIOVec            myIov	 = { 0, 0 };
     char               buf[MAX_FRAGMENT_LENGTH];
 
+    if (vectors < 0) {
+    	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	return -1;
+    }
     if (vectors > PR_MAX_IOVECTOR_SIZE) {
     	PORT_SetError(PR_BUFFER_OVERFLOW_ERROR);
 	return -1;
     }
+    for (i = 0; i < vectors; i++) {
+	if (iov[i].iov_len < 0) {
+	    PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+	    return -1;
+	}
+    }
     blocking = ssl_FdIsBlocking(fd);
 
 #define K16 sizeof(buf)
author	Wan-Teh Chang <wtc@google.com>	2014-01-16 15:33:26 -0800
committer	Wan-Teh Chang <wtc@google.com>	2014-01-16 15:33:26 -0800
commit	d0637df10b3b9b5fba97ac7eb086663a4ec15a38 (patch)
tree	4870c8aee50b2efb2e8cd5aaa833f7404110df18
parent	47efb4c907cdf35d4f40f0dc6e646c70a0da5942 (diff)
download	nss-hg-d0637df10b3b9b5fba97ac7eb086663a4ec15a38.tar.gz