yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-10 01:05:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Stricter check on SSL ClientHello internal sizes compared to actual packet size

Browse source
This commit is contained in:
Paul Bakker 2014-05-22 15:12:19 +02:00
parent 609d1a96aa
commit 75ee01097f
2 changed files with 9 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -56,6 +56,8 @@ Bugfix
* mpi_fill_random() was creating numbers larger than requested on * mpi_fill_random() was creating numbers larger than requested on
big-endian platform when size was not an integer number of limbs big-endian platform when size was not an integer number of limbs
* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
* Stricter check on SSL ClientHello internal sizes compared to actual packet
size (found by TrustInSoft)
= Version 1.2.10 released 2013-10-07 = Version 1.2.10 released 2013-10-07
Changes Changes

12
library/ssl_srv.c
View file

@ -493,8 +493,9 @@ static int ssl_parse_client_hello( ssl_context *ssl )
* 38 . 38 session id length * 38 . 38 session id length
* 39 . 38+x session id * 39 . 38+x session id
* 39+x . 40+x ciphersuitelist length * 39+x . 40+x ciphersuitelist length
* 41+x . .. ciphersuitelist * 41+x . 40+y ciphersuitelist
* .. . .. compression alg. * 41+y . 41+y compression alg length
* 42+y . 41+z compression algs
* .. . .. extensions * .. . .. extensions
*/ */
SSL_DEBUG_BUF( 4, "record contents", buf, n ); SSL_DEBUG_BUF( 4, "record contents", buf, n );
@ -559,7 +560,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
*/ */
sess_len = buf[38]; sess_len = buf[38];
if( sess_len > 32 ) if( sess_len > 32 || sess_len > n - 42 )
{ {
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
@ -577,7 +578,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
ciph_len = ( buf[39 + sess_len] << 8 ) ciph_len = ( buf[39 + sess_len] << 8 )
| ( buf[40 + sess_len] ); | ( buf[40 + sess_len] );
if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 ) if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
{ {
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
@ -588,7 +589,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
*/ */
comp_len = buf[41 + sess_len + ciph_len]; comp_len = buf[41 + sess_len + ciph_len];
if( comp_len < 1 || comp_len > 16 ) if( comp_len < 1 || comp_len > 16 ||
comp_len > n - 42 - sess_len - ciph_len )
{ {
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );