rtcp_new: return failure if allocation of bi->ptr failed

[openssl.git] / ssl / s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 34eb2b442331f7cdee5d1fa17f3567bcfb380623..9a1d65d8cbbbf12d7673bbc1b2dcb6b876ed4523 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -110,6 +110,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include <errno.h>
 #define USE_SOCKETS
 #include "ssl_locl.h"
@@ -642,8 +643,16 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 #endif
        SSL3_BUFFER *wb=&(s->s3->wbuf);
        int i;
+       unsigned int u_len = (unsigned int)len;
+
+       if (len < 0)
+               {
+               SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_NEGATIVE_LENGTH);
+               return -1;
+               }
 
        s->rwstate=SSL_NOTHING;
+       OPENSSL_assert(s->s3->wnum <= INT_MAX);
        tot=s->s3->wnum;
        s->s3->wnum=0;
 
@@ -667,7 +676,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         * buffer ... so we trap and report the error in a way the user
         * will notice
         */
-       if ( len < tot)
+       if (len < tot)
                {
                SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH);
                return(-1);
@@ -695,7 +704,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         * compromise is considered worthy.
         */
        if (type==SSL3_RT_APPLICATION_DATA &&
-           len >= 4*(max_send_fragment=s->max_send_fragment) &&
+           u_len >= 4*(max_send_fragment=s->max_send_fragment) &&
            s->compress==NULL && s->msg_callback==NULL &&
            !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
            EVP_CIPHER_flags(s->enc_write_ctx->cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
@@ -705,7 +714,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                int packlen;
 
                /* minimize address aliasing conflicts */
-               if ((max_send_fragment&0xffff) == 0)
+               if ((max_send_fragment&0xfff) == 0)
                        max_send_fragment -= 512;
 
                if (tot==0 || wb->buf==NULL)    /* allocate jumbo buffer */
@@ -716,7 +725,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                                        EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE,
                                        max_send_fragment,NULL);
 
-                       if (len>=8*max_send_fragment)   packlen *= 8;
+                       if (u_len >= 8*max_send_fragment)       packlen *= 8;
                        else                            packlen *= 4;
 
                        wb->buf=OPENSSL_malloc(packlen);
@@ -768,7 +777,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                                        EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
                                        sizeof(mb_param),&mb_param);
 
-                       if (packlen<=0 || packlen>wb->len)      /* never happens */
+                       if (packlen<=0 || packlen>(int)wb->len) /* never happens */
                                {
                                OPENSSL_free(wb->buf);  /* free jumbo buffer */
                                wb->buf = NULL;
@@ -1245,7 +1254,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                if (!ssl3_setup_read_buffer(s))
                        return(-1);
 
-       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
+       if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE)) ||
            (peek && (type != SSL3_RT_APPLICATION_DATA)))
                {
                SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
@@ -1593,6 +1602,15 @@ start:
                        goto f_err;
                        }
 
+               if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
+                       goto f_err;
+                       }
+
+               s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
+
                rr->length=0;
 
                if (s->msg_callback)
@@ -1775,7 +1793,7 @@ int ssl3_send_alert(SSL *s, int level, int desc)
                desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
        if (desc < 0) return -1;
        /* If a fatal one, remove from cache */
-       if ((level == 2) && (s->session != NULL))
+       if ((level == SSL3_AL_FATAL) && (s->session != NULL))
                SSL_CTX_remove_session(s->ctx,s->session);
 
        s->s3->alert_dispatch=1;