wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

DTLS Handshake Message CAP

Browse Source 
Cap the incoming DTLS handshake messages size the same way we do for
TLS. If handshake messages claim to be larger than the largest allowed
certificate message, we error out.
This commit is contained in:
John Safranek
2019-12-17 16:55:58 -08:00
parent feeb18600f
commit ef6938d2bc
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/internal.c
View File

@@ -12359,6 +12359,14 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return PARSE_ERROR; return PARSE_ERROR;
} }
/* Cap the maximum size of a handshake message to something reasonable.
* By default is the maximum size of a certificate message assuming
* nine 2048-bit RSA certificates in the chain. */
if (size > MAX_HANDSHAKE_SZ) {
WOLFSSL_MSG("Handshake message too large");
return HANDSHAKE_SIZE_ERROR;
}
/* check that we have complete fragment */ /* check that we have complete fragment */
if (*inOutIdx + fragSz > totalSz) { if (*inOutIdx + fragSz > totalSz) {
WOLFSSL_ERROR(INCOMPLETE_DATA); WOLFSSL_ERROR(INCOMPLETE_DATA);