Limit MTU by maximum fragment length setting

By the standard (RFC 6066, Sect. 4), the Maximum Fragment Length (MFL) extension limits the maximum record payload size, but not the maximum datagram size. However, not inferring any limitations on the MTU when setting the MFL means that a party has no means to dynamically inform the peer about MTU limitations. This commit changes the function ssl_get_remaining_payload_in_datagram() to never return more than MFL - { Total size of all records within the current datagram } thereby limiting the MTU to MFL + { Maximum Record Expansion }.
2024-10-18 12:31:05 +00:00 · 2018-08-24 10:47:29 +01:00 · 2018-08-24 10:47:29 +01:00 · f4b010efc4
parent 554b0af195
commit f4b010efc4
1 changed files with 14 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -146,6 +146,20 @@ static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl

    if( max_len > mfl )
        max_len = mfl;
+
+    /* By the standard (RFC 6066 Sect. 4), the MFL extension
+     * only limits the maximum record payload size, so in theory
+     * we would be allowed to pack multiple records of payload size
+     * MFL into a single datagram. However, this would mean that there's
+     * no way to explicitly communicate MTU restrictions to the peer.
+     *
+     * The following reduction of max_len makes sure that we never
+     * write datagrams larger than MFL + Record Expansion Overhead.
+     */
+    if( max_len <= ssl->out_left )
+        return( 0 );
+
+    max_len -= ssl->out_left;
 #endif

    ret = ssl_get_remaining_space_in_datagram( ssl );