Issue discovered using valgrind and the Codenomicon TLS test suite.
len = _gnutls_read_uint16(p);
p += 2;
+ if (len % 2 != 0)
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
DECR_LEN(data_size, len);
for (i = 0; i < len; i += 2) {
_gnutls_sr_recv_params(gnutls_session_t session,
const uint8_t * data, size_t _data_size)
{
- unsigned int len = data[0];
+ unsigned int len;
ssize_t data_size = _data_size;
sr_ext_st *priv;
extension_priv_data_t epriv;
int set = 0, ret;
+ if (data_size == 0)
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+ len = data[0];
DECR_LEN(data_size,
len + 1 /* count the first byte and payload */ );
sig_ext_st *priv;
extension_priv_data_t epriv;
+ if (data_size % 2 != 0)
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
priv = gnutls_calloc(1, sizeof(*priv));
if (priv == NULL) {
gnutls_assert();