crypto/tls: Fix c.in.decrypt error handling.

readRecord was not returning early if c.in.decrypt failed and ran
through the rest of the function. It does set c.in.err, so the various
checks in the callers do ultimately notice before acting on the result,
but we should avoid running the rest of the function at all.

Also rename 'err' to 'alertValue' since it isn't actually an error.

Change-Id: I6660924716a85af704bd3fe81521b34766238695
Reviewed-on: https://go-review.googlesource.com/24709
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>

diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index 20b3d735ff4a69487bd3ee4e8599bbb7d8cc31bc..6fd486462f43f11704fa62aa3e348b2303835d26 100644 (file)
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -632,9 +632,10 @@ Again:
 
        // Process message.
        b, c.rawInput = c.in.splitBlock(b, recordHeaderLen+n)
-       ok, off, err := c.in.decrypt(b)
+       ok, off, alertValue := c.in.decrypt(b)
        if !ok {
-               c.in.setErrorLocked(c.sendAlert(err))
+               c.in.freeBlock(b)
+               return c.in.setErrorLocked(c.sendAlert(alertValue))
        }
        b.off = off
        data := b.data[b.off:]