feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

sanity size check on handshake headers

Browse Source
This commit is contained in:
toddouska
2014-12-01 08:58:52 -08:00
parent 1f8d84553c
commit fe81c2855d
1 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/internal.c
View File

@ -3107,11 +3107,14 @@ static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx,
static int GetHandShakeHeader(CYASSL* ssl, const byte* input, word32* inOutIdx, static int GetHandShakeHeader(CYASSL* ssl, const byte* input, word32* inOutIdx,
byte *type, word32 *size) byte *type, word32 *size, word32 totalSz)
{ {
const byte *ptr = input + *inOutIdx; const byte *ptr = input + *inOutIdx;
(void)ssl; (void)ssl;
*inOutIdx += HANDSHAKE_HEADER_SZ; *inOutIdx += HANDSHAKE_HEADER_SZ;
if (*inOutIdx > totalSz)
return BUFFER_E;
*type = ptr[0]; *type = ptr[0];
c24to32(&ptr[1], size); c24to32(&ptr[1], size);
@ -3122,12 +3125,15 @@ static int GetHandShakeHeader(CYASSL* ssl, const byte* input, word32* inOutIdx,
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
static int GetDtlsHandShakeHeader(CYASSL* ssl, const byte* input, static int GetDtlsHandShakeHeader(CYASSL* ssl, const byte* input,
word32* inOutIdx, byte *type, word32 *size, word32* inOutIdx, byte *type, word32 *size,
word32 *fragOffset, word32 *fragSz) word32 *fragOffset, word32 *fragSz,
word32 totalSz)
{ {
word32 idx = *inOutIdx; word32 idx = *inOutIdx;
*inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA; *inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA;
if (*inOutIdx > totalSz)
return BUFFER_E;
*type = input[idx++]; *type = input[idx++];
c24to32(input + idx, size); c24to32(input + idx, size);
@ -5073,7 +5079,7 @@ static int DoHandShakeMsg(CYASSL* ssl, byte* input, word32* inOutIdx,
CYASSL_ENTER("DoHandShakeMsg()"); CYASSL_ENTER("DoHandShakeMsg()");
if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size) != 0) if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size, totalSz) != 0)
return PARSE_ERROR; return PARSE_ERROR;
ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
@ -5181,7 +5187,7 @@ static int DoDtlsHandShakeMsg(CYASSL* ssl, byte* input, word32* inOutIdx,
CYASSL_ENTER("DoDtlsHandShakeMsg()"); CYASSL_ENTER("DoDtlsHandShakeMsg()");
if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type, if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type,
&size, &fragOffset, &fragSz) != 0) &size, &fragOffset, &fragSz, totalSz) != 0)
return PARSE_ERROR; return PARSE_ERROR;
if (*inOutIdx + fragSz > totalSz) if (*inOutIdx + fragSz > totalSz)
@ -9019,7 +9025,8 @@ static void PickHashSigAlgo(CYASSL* ssl,
ssl->suites->sigAlgo = ssl->specs.sig_algo; ssl->suites->sigAlgo = ssl->specs.sig_algo;
ssl->suites->hashAlgo = sha_mac; ssl->suites->hashAlgo = sha_mac;
for (i = 0; i < hashSigAlgoSz; i += 2) { /* i+1 since peek a byte ahead for type */
for (i = 0; (i+1) < hashSigAlgoSz; i += 2) {
if (hashSigAlgo[i+1] == ssl->specs.sig_algo) { if (hashSigAlgo[i+1] == ssl->specs.sig_algo) {
if (hashSigAlgo[i] == sha_mac) { if (hashSigAlgo[i] == sha_mac) {
break; break;