From: Nikos Mavrogiannopoulos Date: Sun, 4 May 2014 10:18:41 +0000 (+0200) Subject: More precise packet length checking. X-Git-Tag: gnutls_3_3_2~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=773546dadaea08e12b7cbbf7d975a98982d9e2cd;p=thirdparty%2Fgnutls.git More precise packet length checking. Issue discovered using valgrind and the Codenomicon TLS test suite. --- diff --git a/lib/ext/ecc.c b/lib/ext/ecc.c index a851ddd880..ee13db6ac9 100644 --- a/lib/ext/ecc.c +++ b/lib/ext/ecc.c @@ -106,6 +106,9 @@ _gnutls_supported_ecc_recv_params(gnutls_session_t session, len = _gnutls_read_uint16(p); p += 2; + if (len % 2 != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + DECR_LEN(data_size, len); for (i = 0; i < len; i += 2) { diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c index 8dce6beaa8..8975641417 100644 --- a/lib/ext/safe_renegotiation.c +++ b/lib/ext/safe_renegotiation.c @@ -258,12 +258,16 @@ static int _gnutls_sr_recv_params(gnutls_session_t session, const uint8_t * data, size_t _data_size) { - unsigned int len = data[0]; + unsigned int len; ssize_t data_size = _data_size; sr_ext_st *priv; extension_priv_data_t epriv; int set = 0, ret; + if (data_size == 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + + len = data[0]; DECR_LEN(data_size, len + 1 /* count the first byte and payload */ ); diff --git a/lib/ext/signature.c b/lib/ext/signature.c index 799a08aaf1..fb971f5a5a 100644 --- a/lib/ext/signature.c +++ b/lib/ext/signature.c @@ -127,6 +127,9 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session, sig_ext_st *priv; extension_priv_data_t epriv; + if (data_size % 2 != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + priv = gnutls_calloc(1, sizeof(*priv)); if (priv == NULL) { gnutls_assert();