diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl/dtls13con.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/ssl/dtls13con.c b/lib/ssl/dtls13con.c index 5307419b6..a2cf4a8c6 100644 --- a/lib/ssl/dtls13con.c +++ b/lib/ssl/dtls13con.c @@ -460,11 +460,10 @@ dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf) SSL_TRC(10, ("%d: SSL3[%d]: Handling ACK", SSL_GETPID(), ss->fd)); rv = ssl3_ConsumeHandshakeNumber(ss, &length, 2, &b, &l); if (rv != SECSuccess) { - return SECFailure; + goto loser; } if (length != l) { - tls13_FatalError(ss, SSL_ERROR_RX_MALFORMED_DTLS_ACK, decode_error); - return SECFailure; + goto loser; } while (l > 0) { @@ -473,7 +472,7 @@ dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf) rv = ssl3_ConsumeHandshakeNumber64(ss, &seq, 8, &b, &l); if (rv != SECSuccess) { - return SECFailure; + goto loser; } for (cursor = PR_LIST_HEAD(&ss->ssl3.hs.dtlsSentHandshake); @@ -521,6 +520,14 @@ dtls13_HandleAck(sslSocket *ss, sslBuffer *databuf) } } return SECSuccess; + +loser: + /* Due to bug 1829391 we may incorrectly send an alert rather than + * ignore an invalid record here. */ + SSL_TRC(11, ("%d: SSL3[%d]: Error processing DTLS1.3 ACK.", + SSL_GETPID(), ss->fd)); + PORT_SetError(SSL_ERROR_RX_MALFORMED_DTLS_ACK); + return SECFailure; } /* Clean up the read timer for the handshake cipher suites on the |