From 6b4f237f6accd027f854f7efa3bdad6b2ba38361 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Wed, 17 Jul 2013 14:33:38 +0200
Subject: [PATCH] Forbid setting max_frag_len > MAX_CONTENT_LEN

---
 library/ssl_tls.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9a1590c58..d6be98733 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3119,29 +3119,35 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor )
 
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
 {
+    uint16_t max_frag_len;
+
     switch( mfl_code )
     {
         case SSL_MAX_FRAG_LEN_512:
-            ssl->max_frag_len = 512;
+            max_frag_len = 512;
             break;
 
         case SSL_MAX_FRAG_LEN_1024:
-            ssl->max_frag_len = 1024;
+            max_frag_len = 1024;
             break;
 
         case SSL_MAX_FRAG_LEN_2048:
-            ssl->max_frag_len = 2048;
+            max_frag_len = 2048;
             break;
 
         case SSL_MAX_FRAG_LEN_4096:
-            ssl->max_frag_len = 4096;
+            max_frag_len = 4096;
             break;
 
         default:
             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
     }
 
+    if( max_frag_len > SSL_MAX_CONTENT_LEN )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     ssl->mfl_code = mfl_code;
+    ssl->max_frag_len = max_frag_len;
 
     return( 0 );
 }