From 7e9be23628cede5c710fd2a9f593663aa54ccdcc Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 26 Mar 2014 13:54:16 -0700 Subject: [PATCH] fix item 5 from report by Ivan Fratric of the Google Security Team --- src/internal.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index b99d56319..64a13a0c7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4739,7 +4739,8 @@ int DoApplicationData(CYASSL* ssl, byte* input, word32* inOutIdx) /* process alert, return level */ -static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) +static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type, + word32 totalSz) { byte level; byte code; @@ -4752,6 +4753,11 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) AddPacketInfo("Alert", &ssl->timeoutInfo, input + *inOutIdx - RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap); #endif + + /* make sure can read the message */ + if (*inOutIdx + ALERT_SIZE > totalSz) + return BUFFER_E; + level = input[(*inOutIdx)++]; code = input[(*inOutIdx)++]; ssl->alert_history.last_rx.code = code; @@ -4769,6 +4775,8 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) CYASSL_ERROR(*type); if (ssl->keys.encryptionOn) { + if (*inOutIdx + ssl->keys.padSz > totalSz) + return BUFFER_E; *inOutIdx += ssl->keys.padSz; } @@ -5213,7 +5221,8 @@ int ProcessReply(CYASSL* ssl) case alert: CYASSL_MSG("got ALERT!"); ret = DoAlert(ssl, ssl->buffers.inputBuffer.buffer, - &ssl->buffers.inputBuffer.idx, &type); + &ssl->buffers.inputBuffer.idx, &type, + ssl->buffers.inputBuffer.length); if (ret == alert_fatal) return FATAL_ERROR; else if (ret < 0)