Release zero length handshake fragment records

If we are processing a hanshake fragment and we end up with a zero length record, then we still need to release it to avoid an infinite loop. Fixes #20821 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20824)
author: Matt Caswell <matt@openssl.org> 2023-04-25 11:39:26 +0100
committer: Matt Caswell <matt@openssl.org> 2023-05-01 09:54:39 +0100
commit: c20d923b46641030cb2946a1922ee344b9d27e43 (patch)
tree: 8a97586984b9c279490b8cdae936bd1a7a504085 /ssl/record/rec_layer_s3.c
parent: 1c35e39ac0e5845c5bc7ca7f802ee832ca95388d (diff)
download: openssl-new-c20d923b46641030cb2946a1922ee344b9d27e43.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index bba8b7fa02..f9806e9799 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -939,9 +939,13 @@ int ssl3_read_bytes(SSL *ssl, int type, int *recvd_type, unsigned char *buf,
         if (n > 0) {
             memcpy(dest + *dest_len, rr->data + rr->off, n);
             *dest_len += n;
-            if (!ssl_release_record(s, rr, n))
-                return -1;
         }
+        /*
+         * We release the number of bytes consumed, or the whole record if it
+         * is zero length
+         */
+        if ((n > 0 || rr->length == 0) && !ssl_release_record(s, rr, n))
+            return -1;
 
         if (*dest_len < dest_maxlen)
             goto start;     /* fragment was too small */
author	Matt Caswell <matt@openssl.org>	2023-04-25 11:39:26 +0100
committer	Matt Caswell <matt@openssl.org>	2023-05-01 09:54:39 +0100
commit	c20d923b46641030cb2946a1922ee344b9d27e43 (patch)
tree	8a97586984b9c279490b8cdae936bd1a7a504085 /ssl/record/rec_layer_s3.c
parent	1c35e39ac0e5845c5bc7ca7f802ee832ca95388d (diff)
download	openssl-new-c20d923b46641030cb2946a1922ee344b9d27e43.tar.gz