From 68390b1ba31bbfada0a0869cf1bc5099bbbd4391 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 12 Apr 2019 11:29:28 -0700
Subject: [PATCH] Improvement to wolfSSL_write to not allow for
 `VERIFY_MAC_ERROR` or `DECRYPT_ERROR` errors. This resolves possible end user
 application implentation issue where a wolfSSL_read failure isn't handled and
 a wolfSSL_write is done anyways.

---
 src/internal.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 7fd79425a..5dd7e79d5 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -15223,14 +15223,18 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
         ssl->error = 0;
     }
 
-#ifdef WOLFSSL_DTLS
-    if (ssl->options.dtls) {
-        /* In DTLS mode, we forgive some errors and allow the session
-         * to continue despite them. */
-        if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR)
+    /* don't allow write after decrypt or mac error */
+    if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) {
+        /* For DTLS allow these possible errors and allow the session
+            to continue despite them */
+        if (ssl->options.dtls) {
             ssl->error = 0;
+        }
+        else {
+            WOLFSSL_MSG("Not allowing write after decrypt or mac error");
+            return WOLFSSL_FATAL_ERROR;
+        }
     }
-#endif /* WOLFSSL_DTLS */
 
 #ifdef WOLFSSL_EARLY_DATA
     if (ssl->earlyData != no_early_data) {