From 6940a5eaae602a52ac14266514be0c6a289e7524 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 16 May 2022 19:36:15 +0200 Subject: [PATCH 1/2] internal.c:reset input/processReply state if exiting after DoAlert() --- src/internal.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index ff0911753..cceb86d5b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17708,8 +17708,12 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) return ret; /* catch warnings that are handled as errors */ - if (type == close_notify) + if (type == close_notify) { + ssl->buffers.inputBuffer.idx = + ssl->buffers.inputBuffer.length; + ssl->options.processReply = doProcessInit; return ssl->error = ZERO_RETURN; + } if (type == decrypt_error) return FATAL_ERROR; From be172af3cdb8e008da9229ce9110fdf75fb5aae1 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Wed, 18 May 2022 18:35:44 +0200 Subject: [PATCH 2/2] internal.c: check that we have data before processing messages We should never encounter this bug under normal circumstances. But if we enter processReplyEx with a wrongly `ssl->options.processReply` set to `runProcessingOneMessage` we check that we have some data. --- src/internal.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/internal.c b/src/internal.c index cceb86d5b..0942bf100 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17396,6 +17396,10 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) /* the record layer is here */ case runProcessingOneMessage: + /* can't process a message if we have no data. */ + if (ssl->buffers.inputBuffer.idx + >= ssl->buffers.inputBuffer.length) + return BUFFER_ERROR; #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) {