Potential buffer-overflow for ssl_read_record()

2025-06-16 14:40:24 +00:00 · 2013-09-11 13:16:28 +02:00 · 2013-09-11 13:16:28 +02:00 · 8648f04e47
parent 3f5b753654
commit 8648f04e47
2 changed files with 6 additions and 1 deletions
--- a/5
+++ b/5
@ -1,5 +1,10 @@
 PolarSSL ChangeLog

+= Branch 1.1
+Security
+   * Potential buffer-overflow for ssl_read_record() (independently found by
+     both TrustInSoft and Paul Brodeur of Leviathan Security Group)
+
 = Version 1.1.7 released on 2013-06-19
 Changes
   * HAVEGE random generator disabled by default
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -1159,7 +1159,7 @@ int ssl_read_record( ssl_context *ssl )
        /*
         * TLS encrypted messages can have up to 256 bytes of padding
         */
-        if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
+        if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
            ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
        {
            SSL_DEBUG_MSG( 1, ( "bad message length" ) );