From 8648f04e47986d8bf2679dc24ad144b779e9950d Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Wed, 11 Sep 2013 13:16:28 +0200
Subject: [PATCH] Potential buffer-overflow for ssl_read_record()

---
 ChangeLog         | 5 +++++
 library/ssl_tls.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f8a46d9e5..88e5341e2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 PolarSSL ChangeLog
 
+= Branch 1.1
+Security
+   * Potential buffer-overflow for ssl_read_record() (independently found by
+     both TrustInSoft and Paul Brodeur of Leviathan Security Group)
+
 = Version 1.1.7 released on 2013-06-19
 Changes
    * HAVEGE random generator disabled by default
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 27f2172fc..a5d1cb144 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1159,7 +1159,7 @@ int ssl_read_record( ssl_context *ssl )
         /*
          * TLS encrypted messages can have up to 256 bytes of padding
          */
-        if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
+        if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
             ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
         {
             SSL_DEBUG_MSG( 1, ( "bad message length" ) );