X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fs3_pkt.c;h=40eb0dd347cc3babf2d2aee49a06b5d148c3b1a2;hb=4d8cca8a7ecac547d07042f921469681cc869ed6;hp=8deeab3c9fbfba52aa338f3130cd82ccdb0eeec5;hpb=725c5f1ad393a7bc344348d0ec7c268aaf2700a7;p=openssl.git

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 8deeab3c9f..40eb0dd347 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -598,6 +598,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 			}
 		}
 
+	/* ensure that if we end up with a smaller value of data to write 
+	 * out than the the original len from a write which didn't complete 
+	 * for non-blocking I/O and also somehow ended up avoiding 
+	 * the check for this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as
+	 * it must never be possible to end up with (len-tot) as a large
+	 * number that will then promptly send beyond the end of the users
+	 * buffer ... so we trap and report the error in a way the user
+	 * will notice
+	 */
+	if ( len < tot)
+		{
+		SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
+		return(-1);
+		}
+
+
 	n=(len-tot);
 	for (;;)
 		{