From 5e18f74abba8bb41148839b8a77d1abc9c7431ec Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Mon, 6 Aug 2018 11:35:16 +0100
Subject: [PATCH 1/3] Make alert sending function re-entrant

Fixes #1916

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 library/ssl_msg.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 4eac24bde..051e4b033 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -4855,6 +4855,9 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
     if( ssl == NULL || ssl->conf == NULL )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
+    if( ssl->out_left != 0 )
+        return( mbedtls_ssl_flush_output( ssl ) );
+
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
 
@@ -5714,9 +5717,6 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
 
-    if( ssl->out_left != 0 )
-        return( mbedtls_ssl_flush_output( ssl ) );
-
     if( mbedtls_ssl_is_handshake_over( ssl ) == 1 )
     {
         if( ( ret = mbedtls_ssl_send_alert_message( ssl,

From 8813c03cb0c7b5c6393cde4b22371659c85efb1e Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Tue, 14 Aug 2018 16:38:12 +0100
Subject: [PATCH 2/3] Add ChangeLog entry

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 ChangeLog.d/alert_reentrant.txt | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 ChangeLog.d/alert_reentrant.txt

diff --git a/ChangeLog.d/alert_reentrant.txt b/ChangeLog.d/alert_reentrant.txt
new file mode 100644
index 000000000..2d1dc602e
--- /dev/null
+++ b/ChangeLog.d/alert_reentrant.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
+     potentially leading to corrupted alert messages being sent in case
+     the function needs to be re-called after initially returning
+     MBEDTLS_SSL_WANT_WRITE.

From f945e0a475b018fb6cab14201d8da0bd55343cb7 Mon Sep 17 00:00:00 2001
From: Dave Rodgman <dave.rodgman@arm.com>
Date: Fri, 8 Apr 2022 12:53:00 +0100
Subject: [PATCH 3/3] Update ChangeLog.d/alert_reentrant.txt

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
---
 ChangeLog.d/alert_reentrant.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ChangeLog.d/alert_reentrant.txt b/ChangeLog.d/alert_reentrant.txt
index 2d1dc602e..691d64c0d 100644
--- a/ChangeLog.d/alert_reentrant.txt
+++ b/ChangeLog.d/alert_reentrant.txt
@@ -2,4 +2,4 @@ Bugfix
    * Fix bug in the alert sending function mbedtls_ssl_send_alert_message()
      potentially leading to corrupted alert messages being sent in case
      the function needs to be re-called after initially returning
-     MBEDTLS_SSL_WANT_WRITE.
+     MBEDTLS_SSL_WANT_WRITE. Fixes #1916.