Commit 5a91d388 authored by Bernd Edlinger's avatar Bernd Edlinger
Browse files

Swap the check in ssl3_write_pending to avoid using 


the possibly indeterminate pointer value in wpend_buf.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5307)
parent 622ddb57

ssl/record/rec_layer_s3.c

+2 −3
Original line number Diff line number Diff line
@@ -894,10 +894,9 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, 
    SSL3_BUFFER *wb = s->rlayer.wbuf;

    unsigned int currbuf = 0;



/* XXXX */

    if ((s->rlayer.wpend_tot > (int)len)

        || ((s->rlayer.wpend_buf != buf) &&

            !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))

        || (!(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)

            && (s->rlayer.wpend_buf != buf))

        || (s->rlayer.wpend_type != type)) {

        SSLerr(SSL_F_SSL3_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY);

        return (-1);