Fix a buffer length bug and nits in the next protocol negotiation (NPN)

net/third_party/nss/ssl/ssl3ext.c

Index: net/third_party/nss/ssl/ssl3ext.c
===================================================================
--- net/third_party/nss/ssl/ssl3ext.c	(revision 125777)
+++ net/third_party/nss/ssl/ssl3ext.c	(working copy)
@@ -606,10 +606,7 @@
     unsigned char resultBuffer[255];
     SECItem result = { siBuffer, resultBuffer, 0 };
 
-    if (ss->firstHsDone) {

[wtc, 2012/03/10 00:43:15]

ss->firstHsDone cannot be true here.  Line 650 below ensures
that we (an NSS client) do not send the NPN extension if
ss->firstHsDone is true, and NSS won't call an extension
handler on the client side if the server sends an unadvertised
extension.

-	PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-	return SECFailure;
-    }
+    PORT_Assert(!ss->firstHsDone);
 
     rv = ssl3_ValidateNextProtoNego(data->data, data->len);
     if (rv != SECSuccess)
@@ -621,6 +618,8 @@
      */
     PORT_Assert(ss->nextProtoCallback != NULL);
     if (!ss->nextProtoCallback) {
+	/* XXX Use a better error code. This is an application error, not an
+	 * NSS bug. */
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
@@ -631,7 +630,7 @@
 	return rv;
     /* If the callback wrote more than allowed to |result| it has corrupted our
      * stack. */
-    if (result.len > sizeof result) {
+    if (result.len > sizeof resultBuffer) {

[wtc, 2012/03/10 00:43:15]

This is the fix for the buffer length bug.  We will hit this
bug if the NPN result is larger than the size of SECItem
(12 bytes).

 	PORT_SetError(SEC_ERROR_OUTPUT_LEN);
 	return SECFailure;
     }