Check length before reading handshake header

This commit is contained in:
Manuel Pégourié-Gonnard 2014-09-03 11:01:14 +02:00 committed by Paul Bakker
parent d9ba0d96b6
commit 9d1d7196e4
2 changed files with 23 additions and 5 deletions

View file

@ -784,7 +784,8 @@ struct _ssl_context
(equal to in_left if none) */
#endif
size_t in_hslen; /*!< current handshake message length */
size_t in_hslen; /*!< current handshake message length,
including the handshake header */
int nb_zero; /*!< # of 0-length encrypted messages */
int record_read; /*!< record is already present */
@ -1948,6 +1949,17 @@ static inline size_t ssl_hdr_len( const ssl_context *ssl )
return( 5 );
}
static inline size_t ssl_hs_hdr_len( const ssl_context *ssl )
{
#if defined(POLARSSL_SSL_PROTO_DTLS)
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
return( 12 );
#else
((void) ssl);
#endif
return( 4 );
}
/* constant-time buffer comparison */
static inline int safer_memcmp( const void *a, const void *b, size_t n )
{

View file

@ -2338,10 +2338,16 @@ static int ssl_reassemble_dtls_handshake( ssl_context *ssl )
static int ssl_prepare_handshake_record( ssl_context *ssl )
{
ssl->in_hslen = ssl->transport == SSL_TRANSPORT_DATAGRAM ? 12 : 4;
ssl->in_hslen += ( ssl->in_msg[1] << 16 ) |
( ssl->in_msg[2] << 8 ) |
ssl->in_msg[3];
if( ssl->in_msglen < ssl_hs_hdr_len( ssl ) )
{
SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
ssl->in_msglen ) );
}
ssl->in_hslen = ssl_hs_hdr_len( ssl ) + (
( ssl->in_msg[1] << 16 ) |
( ssl->in_msg[2] << 8 ) |
ssl->in_msg[3] );
SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
" %d, type = %d, hslen = %d",