From 5ee96546debc408355fefa9018f3ea2bfdb6cab7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Wed, 10 Sep 2014 14:27:21 +0000
Subject: [PATCH] Add length checks in parse_certificate_verify()

---
 library/ssl_srv.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index b31cc2318..c839ea7e5 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3330,6 +3330,12 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
     {
+        if( i + 2 > ssl->in_hslen )
+        {
+            SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
         /*
          * Hash
          */
@@ -3376,6 +3382,12 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
     }
 
+    if( i + 2 > ssl->in_hslen )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
     sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
     i += 2;