From f54fab0feff4d4964c5b3e9668e30b95ba44221f Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Tue, 19 Aug 2014 17:57:53 +0200 Subject: [PATCH] RT3060: Limit the number of empty records. Limit the number of empty records that will be processed consecutively in order to prevent ssl3_get_record from never returning. Reported by "oftc_must_be_destroyed" and George Kadianakis. Reviewed-by: Bodo Moeller (cherry picked from commit 3aac17a82fbaf2bc23ee62f24611e5883d3e7b97) --- ssl/s3_pkt.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index dbbee635c9..a3b45fba9d 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -229,6 +229,12 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) return(n); } +/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will + * be processed per call to ssl3_get_record. Without this limit an attacker + * could send empty records at a faster rate than we can process and cause + * ssl3_get_record to loop forever. */ +#define MAX_EMPTY_RECORDS 32 + /* Call this to get a new input record. * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. @@ -249,6 +255,7 @@ static int ssl3_get_record(SSL *s) short version; unsigned mac_size, orig_len; size_t extra; + unsigned empty_record_count = 0; rr= &(s->s3->rrec); sess=s->session; @@ -476,7 +483,17 @@ printf("\n"); s->packet_length=0; /* just read a 0 length packet */ - if (rr->length == 0) goto again; + if (rr->length == 0) + { + empty_record_count++; + if (empty_record_count > MAX_EMPTY_RECORDS) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL); + goto f_err; + } + goto again; + } return(1); -- 2.40.0