[PATCH] Possible case of 0 return on error in tls_read/tls_write

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Possible case of 0 return on error in tls_read/tls_write

Devchandra L Meetei
Hi

While going through code of `tls_read` listed below. It looks like to me
that
there is possibility of returning 0 on error when following code-flow takes
place

1)
if tls_handshake(ctx) returns 0, Now rv is 0. It goes to
 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
                if ((rv = tls_handshake(ctx)) != 0)
                        goto out;
        }

2)
Now, if buflen > INT_MAX, then, it exit via `goto out` where rv will be
0(set by step 1)
 if (buflen > INT_MAX) {
                tls_set_errorx(ctx, "buflen too long");
                goto out;
        }


The fix is not to assign to `rv` when handshaking. The same logic applies
to `tls_write` as well.
Attach patch for your perusal, please feel to free to ignore if it was done
intentionally

ssize_t
tls_read(struct tls *ctx, void *buf, size_t buflen)
{
        ssize_t rv = -1;
        int ssl_ret;

        tls_error_clear(&ctx->error);

        if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
                if ((rv = tls_handshake(ctx)) != 0)
                        goto out;
        }

        if (buflen > INT_MAX) {
                tls_set_errorx(ctx, "buflen too long");
                goto out;
        }

        ERR_clear_error();
        if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
                rv = (ssize_t)ssl_ret;
                goto out;
        }
        rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");

 out:
        /* Prevent callers from performing incorrect error handling */
        errno = 0;
        return (rv);
}






--
Warm Regards
--Dev

zero_return_on_err.patch (894 bytes) Download Attachment