More precise packet length checking.

Issue discovered using valgrind and the Codenomicon TLS test suite.

3 files changed, 11 insertions, 1 deletions

diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c
index a851ddd880..ee13db6ac9 100644
--- a/lib/ext/ecc.c
+++ b/lib/ext/ecc.c
@@ -106,6 +106,9 @@ _gnutls_supported_ecc_recv_params(gnutls_session_t session,
 		len = _gnutls_read_uint16(p);
 		p += 2;
 
+		if (len % 2 != 0)
+			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
 		DECR_LEN(data_size, len);
 
 		for (i = 0; i < len; i += 2) {
diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c
index 8dce6beaa8..8975641417 100644
--- a/lib/ext/safe_renegotiation.c
+++ b/lib/ext/safe_renegotiation.c
@@ -258,12 +258,16 @@ static int
 _gnutls_sr_recv_params(gnutls_session_t session,
 		       const uint8_t * data, size_t _data_size)
 {
-	unsigned int len = data[0];
+	unsigned int len;
 	ssize_t data_size = _data_size;
 	sr_ext_st *priv;
 	extension_priv_data_t epriv;
 	int set = 0, ret;
 
+	if (data_size == 0)
+		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+	len = data[0];
 	DECR_LEN(data_size,
 		 len + 1 /* count the first byte and payload */ );
 
diff --git a/lib/ext/signature.c b/lib/ext/signature.c
index 799a08aaf1..fb971f5a5a 100644
--- a/lib/ext/signature.c
+++ b/lib/ext/signature.c
@@ -127,6 +127,9 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session,
 	sig_ext_st *priv;
 	extension_priv_data_t epriv;
 
+	if (data_size % 2 != 0)
+		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
 	priv = gnutls_calloc(1, sizeof(*priv));
 	if (priv == NULL) {
 		gnutls_assert();