| |
| # HG changeset patch |
| # User John Schanck <jschanck@mozilla.com> |
| # Date 1702322654 0 |
| # Node ID 1bda168c0da97e19e5f14bc4227c15c0a9f493bf |
| # Parent e934c6d1d4366d152e3307cb76af4c02667c9147 |
| Bug 1867408 - add a defensive check for large ssl_DefSend return values. r=nkulatova |
| |
| Differential Revision: https://phabricator.services.mozilla.com/D195054 |
| |
| diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c |
| --- a/lib/ssl/sslsecur.c |
| +++ b/lib/ssl/sslsecur.c |
| @@ -483,17 +483,22 @@ ssl_SendSavedWriteData(sslSocket *ss) |
| PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| if (ss->pendingBuf.len != 0) { |
| SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data", |
| SSL_GETPID(), ss->fd, ss->pendingBuf.len)); |
| rv = ssl_DefSend(ss, ss->pendingBuf.buf, ss->pendingBuf.len, 0); |
| if (rv < 0) { |
| return rv; |
| } |
| - ss->pendingBuf.len -= rv; |
| + if (rv > ss->pendingBuf.len) { |
| + PORT_Assert(0); /* This shouldn't happen */ |
| + ss->pendingBuf.len = 0; |
| + } else { |
| + ss->pendingBuf.len -= rv; |
| + } |
| if (ss->pendingBuf.len > 0 && rv > 0) { |
| /* UGH !! This shifts the whole buffer down by copying it */ |
| PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv, |
| ss->pendingBuf.len); |
| } |
| } |
| return rv; |
| } |
| |