More precise packet length checking.

Issue discovered using valgrind and the Codenomicon TLS test suite.

3 files changed, 11 insertions, 6 deletions

diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c
index 814f6d8170..cd8e3323dd 100644
--- a/lib/ext/ecc.c
+++ b/lib/ext/ecc.c
@@ -105,6 +105,9 @@ _gnutls_supported_ecc_recv_params (gnutls_session_t session,
       len = _gnutls_read_uint16(p);
       p += 2;
 
+      if (len % 2 != 0)
+        return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
       DECR_LEN (data_size, len);
 
       for (i = 0; i < len; i+=2)
diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index 43b17956dc..32edc81cd8 100644
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -255,11 +255,6 @@ _gnutls_ext_sr_send_cs (gnutls_session_t session)
     {
       set = 1;
     }
-  else if (ret < 0)
-    {
-      gnutls_assert ();
-      return ret;
-    }
 
   if (set != 0)
     {
@@ -283,12 +278,16 @@ static int
 _gnutls_sr_recv_params (gnutls_session_t session,
                         const uint8_t * data, size_t _data_size)
 {
-  unsigned int len = data[0];
+  unsigned int len;
   ssize_t data_size = _data_size;
   sr_ext_st *priv;
   extension_priv_data_t epriv;
   int set = 0, ret;
 
+  if (data_size == 0)
+    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+  len = data[0];
   DECR_LEN (data_size, len + 1 /* count the first byte and payload */ );
 
   if (session->internals.priorities.sr == SR_DISABLED)
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 3710867dee..bd12eb2134 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -120,6 +120,9 @@ _gnutls_sign_algorithm_parse_data (gnutls_session_t session,
   sig_ext_st *priv;
   extension_priv_data_t epriv;
 
+  if (data_size % 2 != 0)
+    return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
   priv = gnutls_calloc (1, sizeof (*priv));
   if (priv == NULL)
     {