Validate ClientHello session_id field length and send alert on failure

[openssl.git] / ssl / ssl_sess.c

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 09d0193f06bb7f07fa9d3363a7b3e07db323e88e..3010bc4d572095e3a45b1abb1aa35a34d264ac51 100644 (file)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -529,12 +529,8 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
     int fatal = 0;
     int try_session_cache = 1;
     int r;
-    size_t len = PACKET_remaining(session_id);
 
-    if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
-        goto err;
-
-    if (len == 0)
+    if (PACKET_remaining(session_id) == 0)
         try_session_cache = 0;
 
     /* sets s->tlsext_ticket_expected and extended master secret flag */