diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-05-04 12:48:25 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-05-04 12:48:25 +0200 |
commit | 8a052227ed044af8db607264cd0d9d2360fc8265 (patch) | |
tree | fc9a3ca0095349863ca60af8b6e59e2fa24650dd | |
parent | 2339fd54795e77ed0a0366dc98931a2b07a552cb (diff) | |
download | gnutls-8a052227ed044af8db607264cd0d9d2360fc8265.tar.gz |
More precise packet length checking.
Issue discovered using valgrind and the Codenomicon TLS test suite.
-rw-r--r-- | lib/ext/ecc.c | 3 | ||||
-rw-r--r-- | lib/ext/safe_renegotiation.c | 11 | ||||
-rw-r--r-- | lib/ext/signature.c | 3 |
3 files changed, 11 insertions, 6 deletions
diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c index 814f6d8170..cd8e3323dd 100644 --- a/lib/ext/ecc.c +++ b/lib/ext/ecc.c @@ -105,6 +105,9 @@ _gnutls_supported_ecc_recv_params (gnutls_session_t session, len = _gnutls_read_uint16(p); p += 2; + if (len % 2 != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + DECR_LEN (data_size, len); for (i = 0; i < len; i+=2) diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c index 43b17956dc..32edc81cd8 100644 --- a/lib/ext/safe_renegotiation.c +++ b/lib/ext/safe_renegotiation.c @@ -255,11 +255,6 @@ _gnutls_ext_sr_send_cs (gnutls_session_t session) { set = 1; } - else if (ret < 0) - { - gnutls_assert (); - return ret; - } if (set != 0) { @@ -283,12 +278,16 @@ static int _gnutls_sr_recv_params (gnutls_session_t session, const uint8_t * data, size_t _data_size) { - unsigned int len = data[0]; + unsigned int len; ssize_t data_size = _data_size; sr_ext_st *priv; extension_priv_data_t epriv; int set = 0, ret; + if (data_size == 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + + len = data[0]; DECR_LEN (data_size, len + 1 /* count the first byte and payload */ ); if (session->internals.priorities.sr == SR_DISABLED) diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 3710867dee..bd12eb2134 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -120,6 +120,9 @@ _gnutls_sign_algorithm_parse_data (gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; + if (data_size % 2 != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + priv = gnutls_calloc (1, sizeof (*priv)); if (priv == NULL) { |