]> granicus.if.org Git - openssl/commitdiff
projects / openssl / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aa291c6)
Validate ClientHello session_id field length and send alert on failure
authorAlessandro Ghedini <alessandro@ghedini.me>
Thu, 8 Oct 2015 17:56:03 +0000 (19:56 +0200)
committerMatt Caswell <matt@openssl.org>
Tue, 19 Jan 2016 15:53:23 +0000 (15:53 +0000)
RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
ssl/ssl_sess.c patch | blob | history
ssl/statem/statem_srvr.c patch | blob | history

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 09d0193f06bb7f07fa9d3363a7b3e07db323e88e..3010bc4d572095e3a45b1abb1aa35a34d264ac51 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -529,12 +529,8 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
     int fatal = 0;
     int try_session_cache = 1;
     int r;
-    size_t len = PACKET_remaining(session_id);
 
-    if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
-        goto err;
-
-    if (len == 0)
+    if (PACKET_remaining(session_id) == 0)
         try_session_cache = 0;
 
     /* sets s->tlsext_ticket_expected and extended master secret flag */
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 78f9f5c7a9cdfbc4f7e92b3d7f682e586a073342..5ee0c94e17acf0095ad6d20602815347dc82dc51 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1082,6 +1082,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
             goto f_err;
         }
 
+        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+            goto f_err;
+        }
+
         if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
             || !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
             || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
@@ -1116,6 +1122,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
             goto f_err;
         }
 
+        if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+            goto f_err;
+        }
+
         if (SSL_IS_DTLS(s)) {
             if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
                 al = SSL_AD_DECODE_ERROR;
Unnamed repository; edit this file 'description' to name the repository.