Bug 394202 - ssl_GetPrivate can corrupt non-SSL private structures
authornelson%bolyard.com
Sat, 01 Sep 2007 00:49:47 +0000
changeset 8029 052ef61532dde69383414ea5c1c3e5bf2d2cb00e
parent 8027 32f77bee42f93d6d6323e9d098ce5a4f00d15fca
child 8030 56d6ea3d34e8903a3f2a9bb487a4fe413db0e119
push idunknown
push userunknown
push dateunknown
bugs394202
Bug 394202 - ssl_GetPrivate can corrupt non-SSL private structures r=julien,wtc
security/nss/lib/ssl/sslsock.c
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -213,21 +213,32 @@ static sslSocket *
 ssl_GetPrivate(PRFileDesc *fd)
 {
     sslSocket *ss;
 
     PORT_Assert(fd != NULL);
     PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
     PORT_Assert(fd->identity == ssl_layer_id);
 
+    if (fd->methods->file_type != PR_DESC_LAYERED ||
+        fd->identity != ssl_layer_id) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return NULL;
+    }
+
     ss = (sslSocket *)fd->secret;
     ss->fd = fd;
     return ss;
 }
 
+/* This function tries to find the SSL layer in the stack. 
+ * It searches for the first SSL layer at or below the argument fd,
+ * and failing that, it searches for the nearest SSL layer above the 
+ * argument fd.  It returns the private sslSocket from the found layer.
+ */
 sslSocket *
 ssl_FindSocket(PRFileDesc *fd)
 {
     PRFileDesc *layer;
     sslSocket *ss;
 
     PORT_Assert(fd != NULL);
     PORT_Assert(ssl_layer_id != 0);