]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
More precise packet length checking.
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 4 May 2014 10:18:41 +0000 (12:18 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 4 May 2014 10:19:11 +0000 (12:19 +0200)
Issue discovered using valgrind and the Codenomicon TLS test suite.

lib/ext/ecc.c
lib/ext/safe_renegotiation.c
lib/ext/signature.c

index a851ddd880bf524ca19906490f6405de28143a68..ee13db6ac9cb618739c9db4bc3f979819bc21b9c 100644 (file)
@@ -106,6 +106,9 @@ _gnutls_supported_ecc_recv_params(gnutls_session_t session,
                len = _gnutls_read_uint16(p);
                p += 2;
 
+               if (len % 2 != 0)
+                       return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
                DECR_LEN(data_size, len);
 
                for (i = 0; i < len; i += 2) {
index 8dce6beaa86cb17ab366e5418620fd1e3b72054f..8975641417a670b8b3a9f0fb2c4e27144a050776 100644 (file)
@@ -258,12 +258,16 @@ static int
 _gnutls_sr_recv_params(gnutls_session_t session,
                       const uint8_t * data, size_t _data_size)
 {
-       unsigned int len = data[0];
+       unsigned int len;
        ssize_t data_size = _data_size;
        sr_ext_st *priv;
        extension_priv_data_t epriv;
        int set = 0, ret;
 
+       if (data_size == 0)
+               return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+       len = data[0];
        DECR_LEN(data_size,
                 len + 1 /* count the first byte and payload */ );
 
index 799a08aaf11e735f73ee283591a297f7102396ba..fb971f5a5a67d48f33665a85f857351b18069155 100644 (file)
@@ -127,6 +127,9 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session,
        sig_ext_st *priv;
        extension_priv_data_t epriv;
 
+       if (data_size % 2 != 0)
+               return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
        priv = gnutls_calloc(1, sizeof(*priv));
        if (priv == NULL) {
                gnutls_assert();