Stricter check on SSL ClientHello internal sizes compared to actual packet size
This commit is contained in:
parent
dff3139cc8
commit
0f651c7422
2 changed files with 9 additions and 5 deletions
|
@ -5,6 +5,8 @@ Bugfix
|
||||||
* Fix in debug_print_msg()
|
* Fix in debug_print_msg()
|
||||||
* Enforce alignment in the buffer allocator even if buffer is not alligned
|
* Enforce alignment in the buffer allocator even if buffer is not alligned
|
||||||
* Remove less-than-zero checks on unsigned numbers
|
* Remove less-than-zero checks on unsigned numbers
|
||||||
|
* Stricter check on SSL ClientHello internal sizes compared to actual packet
|
||||||
|
size (found by TrustInSoft)
|
||||||
|
|
||||||
= PolarSSL 1.3.7 released on 2014-05-02
|
= PolarSSL 1.3.7 released on 2014-05-02
|
||||||
Features
|
Features
|
||||||
|
|
|
@ -1209,8 +1209,9 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
* 38 . 38 session id length
|
* 38 . 38 session id length
|
||||||
* 39 . 38+x session id
|
* 39 . 38+x session id
|
||||||
* 39+x . 40+x ciphersuitelist length
|
* 39+x . 40+x ciphersuitelist length
|
||||||
* 41+x . .. ciphersuitelist
|
* 41+x . 40+y ciphersuitelist
|
||||||
* .. . .. compression alg.
|
* 41+y . 41+y compression alg length
|
||||||
|
* 42+y . 41+z compression algs
|
||||||
* .. . .. extensions
|
* .. . .. extensions
|
||||||
*/
|
*/
|
||||||
SSL_DEBUG_BUF( 4, "record contents", buf, n );
|
SSL_DEBUG_BUF( 4, "record contents", buf, n );
|
||||||
|
@ -1275,7 +1276,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
*/
|
*/
|
||||||
sess_len = buf[38];
|
sess_len = buf[38];
|
||||||
|
|
||||||
if( sess_len > 32 )
|
if( sess_len > 32 || sess_len > n - 42 )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
@ -1293,7 +1294,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
ciph_len = ( buf[39 + sess_len] << 8 )
|
ciph_len = ( buf[39 + sess_len] << 8 )
|
||||||
| ( buf[40 + sess_len] );
|
| ( buf[40 + sess_len] );
|
||||||
|
|
||||||
if( ciph_len < 2 || ( ciph_len % 2 ) != 0 )
|
if( ciph_len < 2 || ( ciph_len % 2 ) != 0 || ciph_len > n - 42 - sess_len )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
@ -1304,7 +1305,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
*/
|
*/
|
||||||
comp_len = buf[41 + sess_len + ciph_len];
|
comp_len = buf[41 + sess_len + ciph_len];
|
||||||
|
|
||||||
if( comp_len < 1 || comp_len > 16 )
|
if( comp_len < 1 || comp_len > 16 ||
|
||||||
|
comp_len > n - 42 - sess_len - ciph_len )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
|
|
Loading…
Reference in a new issue