Bug 1248256 - Verify dummy external content type for TLS 1.3. r=mt

author: EKR <ekr@rtfm.com> 2016-02-10 14:40:42 +0100
committer: EKR <ekr@rtfm.com> 2016-02-10 14:40:42 +0100
commit: 8650cba4348945bab68f8f64d48f98cfdf5eec4f (patch)
tree: 036919c7d7371e53971d7482c1eab5909009eb16
parent: 80a97f2d4d8819cabbaba7a3ce16952531c5a5af (diff)
download: nss-hg-8650cba4348945bab68f8f64d48f98cfdf5eec4f.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
index 508af03cf..61aaa238b 100644
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -2010,6 +2010,13 @@ tls13_UnprotectRecord(sslSocket* ss, SSL3Ciphertext *cText, sslBuffer *plaintext
         return SECFailure;
     }
 
+    /* Verify that the content type is right, even though we overwrite it. */
+    if (cText->type != content_application_data) {
+        /* Do we need a better error here? */
+        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+        return SECFailure;
+    }
+
     /* Check the version number in the record */
     if (cText->version != kRecordVersion) {
         /* Do we need a better error here? */
author	EKR <ekr@rtfm.com>	2016-02-10 14:40:42 +0100
committer	EKR <ekr@rtfm.com>	2016-02-10 14:40:42 +0100
commit	8650cba4348945bab68f8f64d48f98cfdf5eec4f (patch)
tree	036919c7d7371e53971d7482c1eab5909009eb16
parent	80a97f2d4d8819cabbaba7a3ce16952531c5a5af (diff)
download	nss-hg-8650cba4348945bab68f8f64d48f98cfdf5eec4f.tar.gz