Version: 1.1.1b

Source code: ssl/record/rec_layer_s3.c
Line 613, set i with the return value of do_ssl3_write; By going ghrough the return value is one indication of success or failure.
Line 631, do compare i with n(length). this is not correct. Then impact the buffer release functionality in the if block.

What's your opinion?

```

612
613 i = do_ssl3_write(s, type, &(buf[tot]), pipelens, numpipes, 0,
614 &tmpwrit);
615 if (i <= 0) {
616 /* SSLfatal() already called if appropriate /
617 / XXX should we ssl3_release_write_buffer if i<0? /
618 s->rlayer.wnum = tot;
619 return i;
620 }
621
622 if (tmpwrit == n ||
623 (type == SSL3_RT_APPLICATION_DATA &&
624 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
625 /
626 * next chunk of data should get another prepended empty fragment
627 * in ciphersuites with known-IV weakness:
628 */
629 s->s3->empty_fragment_done = 0;
630
631 if ((i == (int)n) && s->mode & SSL_MODE_RELEASE_BUFFERS &&
632 !SSL_IS_DTLS(s))
633 ssl3_release_write_buffer(s);
634
635 *written = tot + tmpwrit;
636 return 1;
637 }

```

Thanks,
Mark