Fix potential NULL dereference

We document that either of recv or recv_timeout may be NULL, but for TLS we
always used recv... Thanks Coverity for catching that.
(Not remotely trigerrable: local configuration.)

Also made me notice net_recv_timeout didn't do its job properly.
parent dba460f2
...@@ -178,6 +178,7 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ); ...@@ -178,6 +178,7 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
* \param buf The buffer to write to * \param buf The buffer to write to
* \param len Maximum length of the buffer * \param len Maximum length of the buffer
* \param timeout Maximum number of milliseconds to wait for data * \param timeout Maximum number of milliseconds to wait for data
* 0 means no timeout (wait forever)
* *
* \return the number of bytes received, * \return the number of bytes received,
* or a non-zero error code: * or a non-zero error code:
......
...@@ -982,7 +982,7 @@ void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf, ...@@ -982,7 +982,7 @@ void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
* \param f_recv read callback * \param f_recv read callback
* \param f_recv_timeout blocking read callback with timeout. * \param f_recv_timeout blocking read callback with timeout.
* The last argument is the timeout in milliseconds, * The last argument is the timeout in milliseconds,
* 0 means no timeout * 0 means no timeout (block forever until a message comes)
* *
* \note One of f_recv or f_recv_timeout can be NULL, in which case * \note One of f_recv or f_recv_timeout can be NULL, in which case
* the other is used. If both are non-NULL, f_recv_timeout is * the other is used. If both are non-NULL, f_recv_timeout is
......
...@@ -444,7 +444,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len, ...@@ -444,7 +444,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
tv.tv_sec = timeout / 1000; tv.tv_sec = timeout / 1000;
tv.tv_usec = ( timeout % 1000 ) * 1000; tv.tv_usec = ( timeout % 1000 ) * 1000;
ret = select( fd + 1, &read_fds, NULL, NULL, &tv ); ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
/* Zero fds ready means we timed out */ /* Zero fds ready means we timed out */
if( ret == 0 ) if( ret == 0 )
......
...@@ -2293,7 +2293,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) ...@@ -2293,7 +2293,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
if( ssl->f_recv_timeout != NULL && timeout != 0 ) if( ssl->f_recv_timeout != NULL )
ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
timeout ); timeout );
else else
...@@ -2359,11 +2359,23 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) ...@@ -2359,11 +2359,23 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
if( ssl_check_timer( ssl ) != 0 ) if( ssl_check_timer( ssl ) != 0 )
ret = MBEDTLS_ERR_SSL_TIMEOUT; ret = MBEDTLS_ERR_SSL_TIMEOUT;
else else
ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr + ssl->in_left, len ); {
if( ssl->f_recv_timeout != NULL )
{
ret = ssl->f_recv_timeout( ssl->p_bio,
ssl->in_hdr + ssl->in_left, len,
ssl->conf->read_timeout );
}
else
{
ret = ssl->f_recv( ssl->p_bio,
ssl->in_hdr + ssl->in_left, len );
}
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d", MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
ssl->in_left, nb_want ) ); ssl->in_left, nb_want ) );
MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv", ret ); MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
if( ret == 0 ) if( ret == 0 )
return( MBEDTLS_ERR_SSL_CONN_EOF ); return( MBEDTLS_ERR_SSL_CONN_EOF );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment