From ef4ba0285f9c5dd5ee2dca1e0cefee45eba3477c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
Date: Thu, 27 Sep 2018 14:20:46 +0200
Subject: SSL: Don't write to closed socket or write to deallocated buffer

Change-Id: I061848ae570b382d640f8e46a1c54aeaeddbd77d
Fixes: QTBUG-61307
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
 src/network/ssl/qsslsocket_openssl.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index cecb4fb753..11f8a40199 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -675,7 +675,8 @@ void QSslSocketBackendPrivate::transmit()
         // Check if we've got any data to be written to the socket.
         QVarLengthArray<char, 4096> data;
         int pendingBytes;
-        while (plainSocket->isValid() && (pendingBytes = q_BIO_pending(writeBio)) > 0) {
+        while (plainSocket->isValid() && (pendingBytes = q_BIO_pending(writeBio)) > 0
+                && plainSocket->openMode() != QIODevice::NotOpen) {
             // Read encrypted data from the write BIO into a buffer.
             data.resize(pendingBytes);
             int encryptedBytesRead = q_BIO_read(writeBio, data.data(), pendingBytes);
@@ -760,6 +761,10 @@ void QSslSocketBackendPrivate::transmit()
         int readBytes = 0;
         const int bytesToRead = 4096;
         do {
+            if (readChannelCount == 0) {
+                // The read buffer is deallocated, don't try resize or write to it.
+                break;
+            }
             // Don't use SSL_pending(). It's very unreliable.
             readBytes = q_SSL_read(ssl, buffer.reserve(bytesToRead), bytesToRead);
             if (readBytes > 0) {
-- 
cgit v1.2.3