From 8a7a277c086199b37c07a8e01165168037866f3e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 23 Jun 2013 10:31:04 +0200 Subject: ossl_recv: check for an OpenSSL error, don't assume When we recently started to treat a zero return code from SSL_read() as an error we also got false positives - which primarily looks to be because the OpenSSL documentation is wrong and a zero return code is not at all an error case in many situations. Now ossl_recv() will check with ERR_get_error() to see if there is a stored error and only then consider it to be a true error if SSL_read() returned zero. Bug: http://curl.haxx.se/bug/view.cgi?id=1249 Reported-by: Nach M. S. Patch-by: Nach M. S. --- lib/ssluse.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/lib/ssluse.c b/lib/ssluse.c index 1bb732785..b9560e508 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -2608,13 +2608,19 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ *curlcode = CURLE_AGAIN; return -1; default: - /* openssl/ssl.h says "look at error stack/return value/errno" */ + /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return + value/errno" */ + /* http://www.openssl.org/docs/crypto/ERR_get_error.html */ sslerror = ERR_get_error(); - failf(conn->data, "SSL read: %s, errno %d", - ERR_error_string(sslerror, error_buffer), - SOCKERRNO); - *curlcode = CURLE_RECV_ERROR; - return -1; + if((nread < 0) || sslerror) { + /* If the return code was negative or there actually is an error in the + queue */ + failf(conn->data, "SSL read: %s, errno %d", + ERR_error_string(sslerror, error_buffer), + SOCKERRNO); + *curlcode = CURLE_RECV_ERROR; + return -1; + } } } return nread; -- cgit v1.2.3