]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
When assigning the TLS version, double check that it is valid.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 22 May 2014 07:21:20 +0000 (09:21 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 22 May 2014 07:21:20 +0000 (09:21 +0200)
lib/gnutls_handshake.c
lib/gnutls_int.h
lib/gnutls_priority.c

index d9859485489b065eb8cd0beb58ff19b9f1de9876..8b4222b53a8b3e5f009cdfcae7dae663fa14c923 100644 (file)
@@ -168,10 +168,11 @@ static int resume_copy_required_values(gnutls_session_t session)
            NULL)
                return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
 
-       _gnutls_set_current_version(session,
+       if (_gnutls_set_current_version(session,
                                    session->internals.
                                    resumed_security_parameters.pversion->
-                                   id);
+                                   id) < 0)
+               return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
 
        session->security_parameters.cert_type =
            session->internals.resumed_security_parameters.cert_type;
@@ -419,7 +420,8 @@ _gnutls_negotiate_version(gnutls_session_t session,
                ret = adv_version;
        }
 
-       _gnutls_set_current_version(session, ret);
+       if (_gnutls_set_current_version(session, ret) < 0)
+               return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
 
        return ret;
 }
@@ -1724,7 +1726,8 @@ _gnutls_read_server_hello(gnutls_session_t session,
                gnutls_assert();
                return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
        } else {
-               _gnutls_set_current_version(session, version);
+               if (_gnutls_set_current_version(session, version) < 0)
+                       return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
        }
 
        pos += 2;
@@ -1955,7 +1958,8 @@ static int _gnutls_send_client_hello(gnutls_session_t session, int again)
                 * (RSA uses it).
                 */
                set_adv_version(session, hver->major, hver->minor);
-               _gnutls_set_current_version(session, hver->id);
+               if (_gnutls_set_current_version(session, hver->id) < 0)
+                       return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
 
                if (session->internals.priorities.ssl3_record_version != 0) {
                        /* Advertize the SSL 3.0 record packet version in
index c5d238d7313f0c2f61de439ac4e79a358039159d..490ccbe907b77c5cf6804c6fa61778654578b949 100644 (file)
@@ -1040,16 +1040,21 @@ inline static unsigned get_num_version(gnutls_session_t session)
 
 void _gnutls_priority_update_fips(void);
 
-#define _gnutls_set_current_version(s, v) { \
-  s->security_parameters.pversion = version_to_entry(v); \
-  }
-
 #define timespec_sub_ms _gnutls_timespec_sub_ms
 unsigned int
 /* returns a-b in ms */
  timespec_sub_ms(struct timespec *a, struct timespec *b);
 
 #include <algorithms.h>
+inline static int _gnutls_set_current_version(gnutls_session_t s, unsigned v)
+{
+       s->security_parameters.pversion = version_to_entry(v);
+       if (s->security_parameters.pversion == NULL) {
+               return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
+       }
+       return 0;
+}
+
 inline static size_t max_user_send_size(gnutls_session_t session,
                                        record_parameters_st *
                                        record_params)
index 941679750e186d2a8c61ac8369735dcc2e57142d..916ce850e490b73621378271770e8147bd067a45 100644 (file)
@@ -199,7 +199,8 @@ int gnutls_protocol_set_priority(gnutls_session_t session, const int *list)
                /* set the current version to the first in the chain.
                 * This will be overridden later.
                 */
-               _gnutls_set_current_version(session, list[0]);
+               if (_gnutls_set_current_version(session, list[0]) < 0)
+                       return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
        }
 
        return 0;
@@ -615,10 +616,13 @@ gnutls_priority_set(gnutls_session_t session, gnutls_priority_t priority)
        /* set the current version to the first in the chain.
         * This will be overridden later.
         */
-       if (session->internals.priorities.protocol.algorithms > 0)
-               _gnutls_set_current_version(session,
+       if (session->internals.priorities.protocol.algorithms > 0) {
+               if (_gnutls_set_current_version(session,
                                            session->internals.priorities.
-                                           protocol.priority[0]);
+                                           protocol.priority[0]) < 0) {
+                       return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET);
+               }
+       }
 
        if (session->internals.priorities.protocol.algorithms == 0 ||
            session->internals.priorities.cipher.algorithms == 0 ||