From: Martin Willi <martin@revosec.ch>
Date: Mon, 6 Sep 2010 08:55:15 +0000 (+0200)
Subject: Parse unsupported TLS Hello extensions properly
X-Git-Tag: 4.5.0~216
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f89143b841faf78b33619cad93b93a381b49c90;p=thirdparty%2Fstrongswan.git

Parse unsupported TLS Hello extensions properly
---

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index aa371c30a3..e6cce311c9 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -220,29 +220,25 @@ static status_t process_client_hello(private_tls_server_t *this,
 		extensions = tls_reader_create(ext);
 		while (extensions->remaining(extensions))
 		{
-			if (!extensions->read_uint16(extensions, &extension))
+			if (!extensions->read_uint16(extensions, &extension) ||
+				!extensions->read_data16(extensions, &ext))
 			{
 				DBG1(DBG_TLS, "received invalid ClientHello Extensions");
 				this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR);
 				extensions->destroy(extensions);
 				return NEED_MORE;
 			}
-			DBG1(DBG_TLS, "received TLS %N extension",
+			DBG1(DBG_TLS, "received TLS '%N' extension",
 				 tls_extension_names, extension);
+			DBG3(DBG_TLS, "%B", &ext);
 			switch (extension)
 			{
 				case TLS_EXT_SIGNATURE_ALGORITHMS:
-					if (extensions->read_data16(extensions, &ext))
-					{
-						this->hashsig = chunk_clone(ext);
-					}
+					this->hashsig = chunk_clone(ext);
 					break;
 				case TLS_EXT_ELLIPTIC_CURVES:
 					this->curves_received = TRUE;
-					if (extensions->read_data16(extensions, &ext))
-					{
-						this->curves = chunk_clone(ext);
-					}
+					this->curves = chunk_clone(ext);
 					break;
 				default:
 					break;