Bug 1520459 - Send decode_error for padded record_size_limit extension, r=jcj

Summary: This is all I plan to do for this bug.

Reviewers: jcj

Tags: #secure-revision

Bug #: 1520459

Differential Revision: https://phabricator.services.mozilla.com/D19576

2 files changed, 11 insertions, 1 deletions

diff --git a/gtests/ssl_gtest/ssl_recordsize_unittest.cc b/gtests/ssl_gtest/ssl_recordsize_unittest.cc
index 0a54ae1a8..c9149bcd9 100644
--- a/gtests/ssl_gtest/ssl_recordsize_unittest.cc
+++ b/gtests/ssl_gtest/ssl_recordsize_unittest.cc
@@ -397,6 +397,16 @@ TEST_P(TlsConnectGeneric, RecordSizeServerExtensionInvalid) {
   ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
 }
 
+TEST_P(TlsConnectGeneric, RecordSizeServerExtensionExtra) {
+  EnsureTlsSetup();
+  server_->SetOption(SSL_RECORD_SIZE_LIMIT, 1000);
+  static const uint8_t v[] = {0x01, 0x00, 0x00};
+  auto replace = MakeTlsFilter<TlsExtensionReplacer>(
+      server_, ssl_record_size_limit_xtn, DataBuffer(v, sizeof(v)));
+  replace->EnableDecryption();
+  ConnectExpectAlert(client_, kTlsAlertDecodeError);
+}
+
 class RecordSizeDefaultsTest : public ::testing::Test {
  public:
   void SetUp() {
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
index a2d83fa97..e25a8f887 100644
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -1927,7 +1927,7 @@ ssl_HandleRecordSizeLimitXtn(const sslSocket *ss, TLSExtensionData *xtnData,
         return SECFailure;
     }
     if (data->len != 0 || limit < 64) {
-        ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter);
+        ssl3_ExtSendAlert(ss, alert_fatal, decode_error);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
         return SECFailure;
     }