RT3301: Discard too-long heartbeat requests
authorErik Auerswald <auerswal@unix-ag.uni-kl.de>
Wed, 27 Aug 2014 02:50:34 +0000 (22:50 -0400)
committerRich Salz <rsalz@openssl.org>
Mon, 8 Sep 2014 15:23:10 +0000 (11:23 -0400)
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e4bad6303e7d214cdcf2536487aabe4)

ssl/d1_both.c

index 89cdca8..2e4250f 100644 (file)
@@ -1492,6 +1492,9 @@ dtls1_process_heartbeat(SSL *s)
        /* Read type and payload length first */
        if (1 + 2 + 16 > s->s3->rrec.length)
                return 0; /* silently discard */
+       if (s->s3->rrec.length > SSL3_RT_MAX_PLAIN_LENGTH)
+               return 0; /* silently discard per RFC 6520 sec. 4 */
+
        hbtype = *p++;
        n2s(p, payload);
        if (1 + 2 + payload + 16 > s->s3->rrec.length)