Check length before reading handshake header
This commit is contained in:
Manuel Pégourié-Gonnard
Paul Bakker
parent
d9ba0d96b6
commit
9d1d7196e4
@ -784,7 +784,8 @@ struct _ssl_context
|
||||
(equal to in_left if none) */
|
||||
#endif
|
||||
|
||||
size_t in_hslen; /*!< current handshake message length */
|
||||
size_t in_hslen; /*!< current handshake message length,
|
||||
including the handshake header */
|
||||
int nb_zero; /*!< # of 0-length encrypted messages */
|
||||
int record_read; /*!< record is already present */
|
||||
|
||||
@ -1948,6 +1949,17 @@ static inline size_t ssl_hdr_len( const ssl_context *ssl )
|
||||
return( 5 );
|
||||
}
|
||||
|
||||
static inline size_t ssl_hs_hdr_len( const ssl_context *ssl )
|
||||
{
|
||||
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
||||
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
|
||||
return( 12 );
|
||||
#else
|
||||
((void) ssl);
|
||||
#endif
|
||||
return( 4 );
|
||||
}
|
||||
|
||||
/* constant-time buffer comparison */
|
||||
static inline int safer_memcmp( const void *a, const void *b, size_t n )
|
||||
{
|
||||
|
||||
@ -2338,10 +2338,16 @@ static int ssl_reassemble_dtls_handshake( ssl_context *ssl )
|
||||
|
||||
static int ssl_prepare_handshake_record( ssl_context *ssl )
|
||||
{
|
||||
ssl->in_hslen = ssl->transport == SSL_TRANSPORT_DATAGRAM ? 12 : 4;
|
||||
ssl->in_hslen += ( ssl->in_msg[1] << 16 ) |
|
||||
( ssl->in_msg[2] << 8 ) |
|
||||
ssl->in_msg[3];
|
||||
if( ssl->in_msglen < ssl_hs_hdr_len( ssl ) )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
|
||||
ssl->in_msglen ) );
|
||||
}
|
||||
|
||||
ssl->in_hslen = ssl_hs_hdr_len( ssl ) + (
|
||||
( ssl->in_msg[1] << 16 ) |
|
||||
( ssl->in_msg[2] << 8 ) |
|
||||
ssl->in_msg[3] );
|
||||
|
||||
SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
|
||||
" %d, type = %d, hslen = %d",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user