From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Sat, 15 Sep 2018 12:01:11 +0000 (+0200)
Subject: app-layer-ssl: don't decode empty extensions
X-Git-Tag: suricata-4.1.0-rc2~84
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eba0d0417171d09f38e1a63875a694f4d2d0df9f;p=thirdparty%2Fsuricata.git

app-layer-ssl: don't decode empty extensions
---

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 93947184bb..4577c1d4c8 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -1122,6 +1122,10 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
         if (!(HAS_SPACE(ext_len)))
             goto invalid_length;
 
+        /* Don't decode empty extensions */
+        if (ext_len == 0)
+            goto next;
+
         parsed = input - initial_input;
 
         switch (ext_type) {
@@ -1208,6 +1212,7 @@ static inline int TLSDecodeHSHelloExtensions(SSLState *ssl_state,
             }
         }
 
+next:
         processed_len += ext_len + 4;
     }