Add length checks in parse_certificate_verify()

2014-09-10 14:27:21 +00:00 · 2014-09-10 14:27:21 +00:00 · 5ee96546de
commit 5ee96546de
parent 72226214b1
1 changed files with 12 additions and 0 deletions
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -3330,6 +3330,12 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
    if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
    {
+        if( i + 2 > ssl->in_hslen )
+        {
+            SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
        /*
         * Hash
         */
@ -3376,6 +3382,12 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
        return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
    }

+    if( i + 2 > ssl->in_hslen )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
    sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
    i += 2;