diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-05-04 12:18:41 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-05-04 12:23:34 +0200 |
commit | 6d9be4042f29ee9ca45d8ef6698f3e5627464ed3 (patch) | |
tree | 849544437f397c8d4ec6c96b0299df7c7d465fe8 | |
parent | c95c4e8609af3a6b9d0b15f1762f1b931a3104db (diff) | |
download | gnutls-6d9be4042f29ee9ca45d8ef6698f3e5627464ed3.tar.gz |
More precise packet length checking.
Issue discovered using valgrind and the Codenomicon TLS test suite.
-rw-r--r-- | lib/ext/ecc.c | 3 | ||||
-rw-r--r-- | lib/ext/safe_renegotiation.c | 6 | ||||
-rw-r--r-- | lib/ext/signature.c | 3 |
3 files changed, 11 insertions, 1 deletions
diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c index a851ddd880..ee13db6ac9 100644 --- a/lib/ext/ecc.c +++ b/lib/ext/ecc.c @@ -106,6 +106,9 @@ _gnutls_supported_ecc_recv_params(gnutls_session_t session, len = _gnutls_read_uint16(p); p += 2; + if (len % 2 != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + DECR_LEN(data_size, len); for (i = 0; i < len; i += 2) { diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c index 8dce6beaa8..8975641417 100644 --- a/lib/ext/safe_renegotiation.c +++ b/lib/ext/safe_renegotiation.c @@ -258,12 +258,16 @@ static int _gnutls_sr_recv_params(gnutls_session_t session, const uint8_t * data, size_t _data_size) { - unsigned int len = data[0]; + unsigned int len; ssize_t data_size = _data_size; sr_ext_st *priv; extension_priv_data_t epriv; int set = 0, ret; + if (data_size == 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + + len = data[0]; DECR_LEN(data_size, len + 1 /* count the first byte and payload */ ); diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 799a08aaf1..fb971f5a5a 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -127,6 +127,9 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; + if (data_size % 2 != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + priv = gnutls_calloc(1, sizeof(*priv)); if (priv == NULL) { gnutls_assert(); |