From 293b5ca47767005e0341b450eef82633f48359f3 Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini Date: Thu, 8 Oct 2015 19:56:03 +0200 Subject: [PATCH] Validate ClientHello session_id field length and send alert on failure RT#4080 Reviewed-by: Rich Salz Reviewed-by: Matt Caswell --- ssl/ssl_sess.c | 6 +----- ssl/statem/statem_srvr.c | 12 ++++++++++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 09d0193f06..3010bc4d57 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -529,12 +529,8 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id) int fatal = 0; int try_session_cache = 1; int r; - size_t len = PACKET_remaining(session_id); - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) - goto err; - - if (len == 0) + if (PACKET_remaining(session_id) == 0) try_session_cache = 0; /* sets s->tlsext_ticket_expected and extended master secret flag */ diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 78f9f5c7a9..5ee0c94e17 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1082,6 +1082,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } + if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len) || !PACKET_get_sub_packet(pkt, &session_id, session_id_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) @@ -1116,6 +1122,12 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } + if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + if (SSL_IS_DTLS(s)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { al = SSL_AD_DECODE_ERROR; -- 2.34.1