cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Sanity length checks in ssl_read_record() and ssl_fetch_input()

Browse Source 
Both are already covered in other places, but not in a clear fashion. So
for instance Coverity thinks the value is still tainted.
This commit is contained in:
Paul Bakker 2014-04-30 14:38:05 +02:00
parent 24f37ccaed
commit 1a1fbba1ae
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
library/ssl_tls.c
View File

@ -1908,6 +1908,12 @@ int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
if( nb_want > SSL_BUFFER_LEN - 8 )
{
SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
}
while( ssl->in_left < nb_want ) while( ssl->in_left < nb_want )
{ {
len = nb_want - ssl->in_left; len = nb_want - ssl->in_left;
@ -2131,13 +2137,20 @@ int ssl_read_record( ssl_context *ssl )
return( POLARSSL_ERR_SSL_INVALID_RECORD ); return( POLARSSL_ERR_SSL_INVALID_RECORD );
} }
/* Sanity check (outer boundaries) */
if( ssl->in_msglen < 1 || ssl->in_msglen > SSL_BUFFER_LEN - 13 )
{
SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( POLARSSL_ERR_SSL_INVALID_RECORD );
}
/* /*
* Make sure the message length is acceptable * Make sure the message length is acceptable for the current transform
* and protocol version.
*/ */
if( ssl->transform_in == NULL ) if( ssl->transform_in == NULL )
{ {
if( ssl->in_msglen < 1 || if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
ssl->in_msglen > SSL_MAX_CONTENT_LEN )
{ {
SSL_DEBUG_MSG( 1, ( "bad message length" ) ); SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( POLARSSL_ERR_SSL_INVALID_RECORD ); return( POLARSSL_ERR_SSL_INVALID_RECORD );