From b768c5c1492afd22be2c8863695e95abb86e767e Mon Sep 17 00:00:00 2001
From: tb <>
Date: Sat, 23 May 2020 09:02:02 +0000
Subject: Avoid an out-of-bounds array access in the s_server.

It can be triggered by sending a line to stdin while no connection
is open and then connecting a client. The first SSL_write() fails,
sends SSL_ERROR_WANT_* and then causes a segfault deep down in the
tls stack when accessing &(buf[-1]).

ok beck inoguchi
---
 src/usr.bin/openssl/s_server.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index b397e6966d..e0838b2b50 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.35 2020/05/13 10:18:03 inoguchi Exp $ */
+/* $OpenBSD: s_server.c,v 1.36 2020/05/23 09:02:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1502,6 +1502,8 @@ sv_body(char *hostname, int s, unsigned char *context)
 					ret = 1;
 					goto err;
 				}
+				if (k <= 0)
+					continue;
 				l += k;
 				i -= k;
 				if (i <= 0)
-- 
cgit v1.2.3-55-g6feb