Package: lua-sec / 0.6-3

0003-Fix-crash-related-to-incorrect-buffer-size.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
From: Perry Clarke <perry@coronalabs.com>
Date: Tue, 3 May 2016 16:37:47 -0700
Subject: Fix crash related to incorrect buffer size

The number of bytes received by ssl_recv() is being passed to luaL_addlstring() (in recvall()) but it was being left either uninitialized or being set to an error code.  The crashing case I found was when the state was not LSEC_STATE_CONNECTED (e.g. when dohandshake() has failed) and ssl_recv() returned immediately without setting "got".
---
 src/ssl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index d2b495d..0ac1c56 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -191,19 +191,19 @@ static int ssl_recv(void *ctx, char *data, size_t count, size_t *got,
 {
   int err;
   p_ssl ssl = (p_ssl)ctx;
+  *got = 0;
   if (ssl->state != LSEC_STATE_CONNECTED)
     return IO_CLOSED;
-  *got = 0;
   for ( ; ; ) {
     ERR_clear_error();
     err = SSL_read(ssl->ssl, data, (int)count);
     ssl->error = SSL_get_error(ssl->ssl, err);
     switch (ssl->error) {
     case SSL_ERROR_NONE:
-      *got = err;
+      *got = 0;
       return IO_DONE;
     case SSL_ERROR_ZERO_RETURN:
-      *got = err;
+      *got = 0;
       return IO_CLOSED;
     case SSL_ERROR_WANT_READ:
       err = socket_waitfd(&ssl->sock, WAITFD_R, tm);