datapath: Fix buffer overrun in mask array realloc.

[cascardo/ovs.git] / lib / stream-ssl.c

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index ddf388f..d774619 100644 (file)
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -60,8 +60,6 @@
  * compiled with /MD is not tested. */
 #include <openssl/applink.c>
 #define SHUT_RDWR SD_BOTH
-#else
-#define closesocket close
 #endif
 
 VLOG_DEFINE_THIS_MODULE(stream_ssl);
@@ -295,6 +293,8 @@ new_ssl_stream(const char *name, int fd, enum session_type type,
     sslv->fd = fd;
 #ifdef _WIN32
     sslv->wevent = CreateEvent(NULL, FALSE, FALSE, NULL);
+#else
+    sslv->wevent = 0;
 #endif
     sslv->ssl = ssl;
     sslv->txbuf = NULL;
@@ -652,14 +652,15 @@ ssl_do_tx(struct stream *stream)
 
     for (;;) {
         int old_state = SSL_get_state(sslv->ssl);
-        int ret = SSL_write(sslv->ssl, sslv->txbuf->data, sslv->txbuf->size);
+        int ret = SSL_write(sslv->ssl,
+                            ofpbuf_data(sslv->txbuf), ofpbuf_size(sslv->txbuf));
         if (old_state != SSL_get_state(sslv->ssl)) {
             sslv->rx_want = SSL_NOTHING;
         }
         sslv->tx_want = SSL_NOTHING;
         if (ret > 0) {
             ofpbuf_pull(sslv->txbuf, ret);
-            if (sslv->txbuf->size == 0) {
+            if (ofpbuf_size(sslv->txbuf) == 0) {
                 return 0;
             }
         } else {
@@ -836,6 +837,8 @@ pssl_open(const char *name OVS_UNUSED, char *suffix, struct pstream **pstreamp,
     pssl->fd = fd;
 #ifdef _WIN32
     pssl->wevent = CreateEvent(NULL, FALSE, FALSE, NULL);
+#else
+    pssl->wevent = 0;
 #endif
     *pstreamp = &pssl->pstream;
     return 0;
@@ -977,9 +980,17 @@ do_ssl_init(void)
         RAND_seed(seed, sizeof seed);
     }
 
-    /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the
-     * cast is needed to avoid a warning with those newer versions. */
-    method = CONST_CAST(SSL_METHOD *, TLSv1_method());
+    /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
+     * SSLv3_method(), TLSv1_method(), SSLv23_method(), ...  Most of these
+     * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1
+     * only, not any earlier *or later* version.  The only exception is
+     * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
+     * We don't want SSLv2 or SSLv3 support, so we turn it off below with
+     * SSL_CTX_set_options().
+     *
+     * The cast is needed to avoid a warning with newer versions of OpenSSL in
+     * which SSLv23_method() returns a "const" pointer. */
+    method = CONST_CAST(SSL_METHOD *, SSLv23_method());
     if (method == NULL) {
         VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL));
         return ENOPROTOOPT;
@@ -1416,18 +1427,6 @@ ssl_protocol_cb(int write_p, int version OVS_UNUSED, int content_type,
     ds_destroy(&details);
 }
 
-/* In Windows platform, errno is not set for socket calls.
- * The last error has to be gotten from WSAGetLastError(). */
-static int
-sock_errno(void)
-{
-#ifdef _WIN32
-    return WSAGetLastError();
-#else
-    return errno;
-#endif
-}
-
 static void
 clear_handle(int fd OVS_UNUSED, HANDLE wevent OVS_UNUSED)
 {