From: Martin Willi <martin@revosec.ch>
Date: Fri, 21 Mar 2014 08:29:44 +0000 (+0100)
Subject: tls: Check for minimal TLS record length before each record iteration
X-Git-Tag: 5.1.3rc1~11^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f93497507fbdfb3dfdfc2ca830a9ced73d86dab1;p=thirdparty%2Fstrongswan.git

tls: Check for minimal TLS record length before each record iteration

Fixes fragment reassembling if a buffer contains more than one record, but
the last record contains a partial TLS record header. Thanks to Nick Saunders
and Jamil Nimeh for identifying this issue and providing a fix for it.
---

diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6b51e75938..7314602b66 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -218,14 +218,7 @@ METHOD(tls_t, process, status_t,
 	{
 		if (this->input.len == 0)
 		{
-			if (buflen < sizeof(tls_record_t))
-			{
-				DBG2(DBG_TLS, "received incomplete TLS record header");
-				memcpy(&this->head, buf, buflen);
-				this->headpos = buflen;
-				break;
-			}
-			while (TRUE)
+			while (buflen >= sizeof(tls_record_t))
 			{
 				/* try to process records inline */
 				record = buf;
@@ -252,6 +245,13 @@ METHOD(tls_t, process, status_t,
 					return NEED_MORE;
 				}
 			}
+			if (buflen < sizeof(tls_record_t))
+			{
+				DBG2(DBG_TLS, "received incomplete TLS record header");
+				memcpy(&this->head, buf, buflen);
+				this->headpos = buflen;
+				break;
+			}
 		}
 		len = min(buflen, this->input.len - this->inpos);
 		memcpy(this->input.ptr + this->inpos, buf, len);