X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Frecord%2Fssl3_record.c;h=919202a46e41aece3fc56f3087f95aaa3ed98afe;hp=d8c7b1ea05bffac86d5fd8fc6dbbeef40a88c859;hb=124f6ff4c248842f52fa45b21efe58159413e8f7;hpb=846ec07d904f9cc81d486db0db14fb84f61ff6e5

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index d8c7b1ea05..919202a46e 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1,4 +1,3 @@
-/* ssl/record/ssl3_record.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -275,6 +274,21 @@ int ssl3_get_record(SSL *s)
             }
 
             if ((version >> 8) != SSL3_VERSION_MAJOR) {
+                if (s->first_packet) {
+                    /* Go back to start of packet, look at the five bytes
+                     * that we have. */
+                    p = RECORD_LAYER_get_packet(&s->rlayer);
+                    if (strncmp((char *)p, "GET ", 4) == 0 ||
+                        strncmp((char *)p, "POST ", 5) == 0 ||
+                        strncmp((char *)p, "HEAD ", 5) == 0 ||
+                        strncmp((char *)p, "PUT ", 4) == 0) {
+                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST);
+                        goto err;
+                    } else if (strncmp((char *)p, "CONNE", 5) == 0) {
+                        SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST);
+                        goto err;
+                    }
+                }
                 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
                 goto err;
             }