From bfbc494114074da58d555cbf01bd54b450f631e1 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Thu, 8 Jun 2017 13:39:23 +0100
Subject: [PATCH] Add hard assertion to mbedtls_ssl_read_record_layer

This commit adds a hard assertion to mbedtls_ssl_read_record_layer
triggering if both ssl->in_hslen and ssl->in_offt are not 0. This
should never happen, and if it does, there's no sensible way of
telling whether the previous message was a handshake or an application
data message.
---
 library/ssl_tls.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index acb3bad52..dafef1f5b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3742,6 +3742,7 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
      *     NOTE: This needs to be fixed, since like for
      *     handshake messages it is allowed to have
      *     multiple alerts witin a single record.
+     *     Internal reference IOTSSL-1321.
      *
      * (3) Change cipher spec:
      *     Consume whole record content, in_msglen = 0.
@@ -3757,6 +3758,12 @@ int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl )
 
     if( ssl->in_hslen != 0 )
     {
+        if( ssl->in_offt != NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
         /*
          * Get next Handshake message in the current record
          */