RT3301: Discard too-long heartbeat requests

author Erik Auerswald <auerswal@unix-ag.uni-kl.de>

Wed, 27 Aug 2014 02:50:34 +0000 (22:50 -0400)

committer Rich Salz <rsalz@openssl.org>

Mon, 8 Sep 2014 15:23:10 +0000 (11:23 -0400)
author Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Wed, 27 Aug 2014 02:50:34 +0000 (22:50 -0400)
committer Rich Salz <rsalz@openssl.org>
Mon, 8 Sep 2014 15:23:10 +0000 (11:23 -0400)
diff --git a/ssl/d1_both.c b/ssl/d1_both.c

index 89cdca806480b63022d72a19a99ad23cb1582fee..2e4250fcfecfd40023b4b8586b9b3ad1deb7662d 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1492,6 +1492,9 @@ dtls1_process_heartbeat(SSL *s)
         /* Read type and payload length first */
         if (1 + 2 + 16 > s->s3->rrec.length)
                 return 0; /* silently discard */
+       if (s->s3->rrec.length > SSL3_RT_MAX_PLAIN_LENGTH)
+               return 0; /* silently discard per RFC 6520 sec. 4 */
+
         hbtype = *p++;
         n2s(p, payload);
         if (1 + 2 + payload + 16 > s->s3->rrec.length)
author	Erik Auerswald <auerswal@unix-ag.uni-kl.de>
	Wed, 27 Aug 2014 02:50:34 +0000 (22:50 -0400)
committer	Rich Salz <rsalz@openssl.org>
	Mon, 8 Sep 2014 15:23:10 +0000 (11:23 -0400)