From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 15 Nov 2021 13:39:22 +0000 (+0100)
Subject: tls-socket: Handle sending fatal errors better
X-Git-Tag: 5.9.5dr3~3^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d95381ec7a50c6c31a3524a4ca1f9efc8a655dc0;p=thirdparty%2Fstrongswan.git

tls-socket: Handle sending fatal errors better

In particular as server, the previous code might cause it to hang in
recv() if this case wasn't triggered by a close notify (followed by a
shutdown of the socket) but it e.g. failed processing a ServerHello and
responded with a fatal alert.

Fixes: 09fbaad6bd71 ("tls-socket: Don't fail reading if sending data failed")
---

diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 75f1469298..e15030ee74 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -193,11 +193,13 @@ static bool exchange(private_tls_socket_t *this, bool wr, bool block)
 				case SUCCESS:
 					return TRUE;
 				default:
-					if (wr)
-					{
-						return FALSE;
+					if (!wr && this->app.in_done > 0)
+					{	/* return data after proper termination via fatal close
+						 * notify to which we responded with one */
+						this->eof = TRUE;
+						return TRUE;
 					}
-					break;
+					return FALSE;
 			}
 			break;
 		}