1 files changed, 21 insertions, 10 deletions

diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 98aa86cb8f..d7981802a0 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1003,6 +1003,14 @@ _gnutls_recv_handshake_header (gnutls_session_t session,
 
       *recv_type = session->internals.handshake_header_buffer.recv_type;
 
+      if (*recv_type != type)
+	{
+	  gnutls_assert ();
+	  _gnutls_handshake_log
+	    ("HSK[%x]: Handshake type mismatch (under attack?)\n", session);
+	  return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
+	}
+
       return session->internals.handshake_header_buffer.packet_length;
     }
 
@@ -2955,16 +2963,19 @@ _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
 }
 
 /**
-  * gnutls_handshake_set_max_packet_length - set the maximum length of a handshake message
-  * @session: is a #gnutls_session_t structure.
-  * @max: is the maximum number.
-  *
-  * This function will set the maximum size of a handshake message.
-  * Handshake messages over this size are rejected.  The default value
-  * is 16kb which is large enough. Set this to 0 if you do not want to
-  * set an upper limit.
-  *
-  **/
+ * gnutls_handshake_set_max_packet_length - set the maximum size of the handshake
+ * @session: is a #gnutls_session_t structure.
+ * @max: is the maximum number.
+ *
+ * This function will set the maximum size of all handshake messages.
+ * Handshakes over this size are rejected with
+ * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code.  The default value is
+ * 48kb which is typically large enough.  Set this to 0 if you do not
+ * want to set an upper limit.
+ *
+ * The reason for restricting the handshake message sizes are to
+ * limit Denial of Service attacks.
+ **/
 void
 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
 {