Remove a reachable assert from ssl3_write_bytes

A buggy application that call SSL_write with a different length after a NBIO event could cause an OPENSSL_assert to be reached. The assert is not actually necessary because there was an explicit check a little further down that would catch this scenario. Therefore remove the assert an move the check a little higher up. Reviewed-by: Rich Salz <rsalz@openssl.org>
2024-11-21 01:15:20 +08:00 · 2015-10-30 17:01:01 +00:00 · 2015-10-30 17:01:01 +00:00 · 1c2e5d560d
commit 1c2e5d560d
parent 6929b4477b
1 changed files with 15 additions and 15 deletions
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@ -455,8 +455,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
    }

    s->rwstate = SSL_NOTHING;
-    OPENSSL_assert(s->rlayer.wnum <= INT_MAX);
    tot = s->rlayer.wnum;
+    /*
+     * ensure that if we end up with a smaller value of data to write out
+     * than the the original len from a write which didn't complete for
+     * non-blocking I/O and also somehow ended up avoiding the check for
+     * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be
+     * possible to end up with (len-tot) as a large number that will then
+     * promptly send beyond the end of the users buffer ... so we trap and
+     * report the error in a way the user will notice
+     */
+    if ((unsigned int)len < s->rlayer.wnum) {
+        SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
+        return -1;
+    }
+
+
    s->rlayer.wnum = 0;

    if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) {
@ -469,20 +483,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
        }
    }

-    /*
-     * ensure that if we end up with a smaller value of data to write out
-     * than the the original len from a write which didn't complete for
-     * non-blocking I/O and also somehow ended up avoiding the check for
-     * this in ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be
-     * possible to end up with (len-tot) as a large number that will then
-     * promptly send beyond the end of the users buffer ... so we trap and
-     * report the error in a way the user will notice
-     */
-    if (len < tot) {
-        SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
-        return (-1);
-    }
-
    /*
     * first check if there is a SSL3_BUFFER still being written out.  This
     * will happen with non blocking IO