Prevent possibility of an infinite retry loop and resource exhaution

Reported in ZD13606

src/internal.c

@@ -8949,6 +8949,7 @@ static int SendHandshakeMsg(WOLFSSL* ssl, byte* input, word32 inputSz,
 static int wolfSSLReceive(WOLFSSL* ssl, byte* buf, word32 sz)
 {
     int recvd;
+    int retryLimit = WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS;
 
     if (ssl->CBIORecv == NULL) {
         WOLFSSL_MSG("Your IO Recv callback is null, please set");
@@ -8974,9 +8975,11 @@ retry:
                 return -1;
 
             case WOLFSSL_CBIO_ERR_WANT_READ:      /* want read, would block */
-                if (ssl->ctx->autoRetry && !ssl->options.handShakeDone &&
-                        !ssl->options.dtls)
+                if (retryLimit > 0 && ssl->ctx->autoRetry &&
+                        !ssl->options.handShakeDone && !ssl->options.dtls) {
+                    retryLimit--;
                     goto retry;
+                }
                 return WANT_READ;
 
             case WOLFSSL_CBIO_ERR_CONN_RST:       /* connection reset */

wolfssl/ssl.h

@@ -810,6 +810,9 @@ enum Tls13Secret {
 };
 #endif
 
+#ifndef WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS
+#define WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS 10
+#endif
 
 typedef WOLFSSL_METHOD* (*wolfSSL_method_func)(void* heap);
 
@@ -2196,7 +2199,10 @@ enum {
     SSL_MODE_ENABLE_PARTIAL_WRITE = 2,
     SSL_MODE_AUTO_RETRY = 3, /* wolfSSL default is to return WANT_{READ|WRITE}
                               * to the user. This is set by default with
-                              * OPENSSL_COMPATIBLE_DEFAULTS. */
+                              * OPENSSL_COMPATIBLE_DEFAULTS. The macro
+                              * WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS is used to
+                              * limit the possibility of an infinite retry loop
+                              */
     SSL_MODE_RELEASE_BUFFERS = -1, /* For libwebsockets build. No current use. */
 
     BIO_CLOSE   = 1,