From: Matt Caswell Date: Tue, 2 Jan 2024 16:48:43 +0000 (+0000) Subject: Don't apply max_frag_len checking if no Max Fragment Length extension X-Git-Tag: openssl-3.3.0-alpha1~282 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c1decd62460072082833909a962892e5042b16bb;p=thirdparty%2Fopenssl.git Don't apply max_frag_len checking if no Max Fragment Length extension Don't check the Max Fragment Length if the it hasn't been negotiated. We were checking it anyway, and using the default value (SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the record length to actually exceed this in some cases. Fixes #23169 Reviewed-by: Tomas Mraz Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/23182) --- diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 7da423e2430..be7f3475388 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -916,11 +916,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl) } /* - * Check if the received packet overflows the current - * Max Fragment Length setting. - * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive. + * Record overflow checking (e.g. checking if + * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of + * the post_process_record() function above. However we check here if + * the received packet overflows the current Max Fragment Length setting + * if there is one. + * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are + * mutually exclusive. Also note that with KTLS thisrr->length can + * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored) */ - if (thisrr->length > rl->max_frag_len) { + if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH + && thisrr->length > rl->max_frag_len) { RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); goto end; }