buffers: simplify and tighten parse_handshake_header checks

* frag_size > data_size is now rejected even when length == 0
* length == 0 && frag_size > 0 is now rejected even when start_offset == 0
* start_offset > length is now rejected even when frag_size == 0

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/buffers.c b/lib/buffers.c
index c3df8a37bc584428d72daaa812aee15727ef0387..af77c5c0fce8899dc5d699665d89a6282fe06f6a 100644 (file)
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -931,14 +931,9 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
        memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel),
               handshake_header_size);
 
-       if (hsk->length > 0 &&
-           (frag_length > data_size ||
-            (frag_length > 0 &&
-             hsk->start_offset + frag_length > hsk->length))) {
+       if (frag_length > data_size) /* fragment straight up lying to us */
                return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-       } else if (hsk->length == 0 &&
-                  hsk->start_offset + frag_length != hsk->start_offset &&
-                  hsk->start_offset != 0)
+       if (frag_length + hsk->start_offset > hsk->length) /* reassembly OOB */
                return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
 
        return handshake_header_size;