forked from wolfSSL/wolfssl
fix bounds check of handshake messages in TLS
This commit is contained in:
John Safranek
@ -5268,9 +5268,12 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
word32 totalSz)
|
word32 totalSz)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
word32 inputLength;
|
||||||
|
|
||||||
WOLFSSL_ENTER("DoHandShakeMsg()");
|
WOLFSSL_ENTER("DoHandShakeMsg()");
|
||||||
|
|
||||||
|
inputLength = ssl->buffers.inputBuffer.length - *inOutIdx;
|
||||||
|
|
||||||
/* If there is a pending fragmented handshake message,
|
/* If there is a pending fragmented handshake message,
|
||||||
* pending message size will be non-zero. */
|
* pending message size will be non-zero. */
|
||||||
if (ssl->arrays->pendingMsgSz == 0) {
|
if (ssl->arrays->pendingMsgSz == 0) {
|
||||||
@ -5289,7 +5292,7 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* size is the size of the certificate message payload */
|
/* size is the size of the certificate message payload */
|
||||||
if (ssl->curSize < size) {
|
if (inputLength - HANDSHAKE_HEADER_SZ < size) {
|
||||||
ssl->arrays->pendingMsgType = type;
|
ssl->arrays->pendingMsgType = type;
|
||||||
ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
|
ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
|
||||||
ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
|
ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
|
||||||
@ -5298,25 +5301,26 @@ static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
if (ssl->arrays->pendingMsg == NULL)
|
if (ssl->arrays->pendingMsg == NULL)
|
||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
XMEMCPY(ssl->arrays->pendingMsg,
|
XMEMCPY(ssl->arrays->pendingMsg,
|
||||||
input + *inOutIdx - HANDSHAKE_HEADER_SZ, ssl->curSize);
|
input + *inOutIdx - HANDSHAKE_HEADER_SZ,
|
||||||
ssl->arrays->pendingMsgOffset = ssl->curSize;
|
inputLength);
|
||||||
*inOutIdx += ssl->curSize - HANDSHAKE_HEADER_SZ;
|
ssl->arrays->pendingMsgOffset = inputLength;
|
||||||
|
*inOutIdx += inputLength - HANDSHAKE_HEADER_SZ;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
|
ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if (ssl->curSize + ssl->arrays->pendingMsgOffset
|
if (inputLength + ssl->arrays->pendingMsgOffset
|
||||||
> ssl->arrays->pendingMsgSz) {
|
> ssl->arrays->pendingMsgSz) {
|
||||||
|
|
||||||
return BUFFER_ERROR;
|
return BUFFER_ERROR;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
|
XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
|
||||||
input + *inOutIdx, ssl->curSize);
|
input + *inOutIdx, inputLength);
|
||||||
ssl->arrays->pendingMsgOffset += ssl->curSize;
|
ssl->arrays->pendingMsgOffset += inputLength;
|
||||||
*inOutIdx += ssl->curSize;
|
*inOutIdx += inputLength;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
|
if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
|
||||||
|
|||||||
Reference in New Issue
Block a user