reject zero length point format list or supported curves extensions

[openssl.git] / ssl / t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c53eadfe302a1b82f06c21a77bd651a96d99c203..fd13a317c16d9f7676327622e7aef09bbd23807d 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1853,7 +1853,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                        unsigned char *sdata = data;
                        int ecpointformatlist_length = *(sdata++);
 
-                       if (ecpointformatlist_length != size - 1)
+                       if (ecpointformatlist_length != size - 1 || 
+                               ecpointformatlist_length < 1)
                                {
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
@@ -1889,7 +1890,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                        int ellipticcurvelist_length = (*(sdata++) << 8);
                        ellipticcurvelist_length += (*(sdata++));
 
-                       if (ellipticcurvelist_length != size - 2)
+                       if (ellipticcurvelist_length != size - 2 ||
+                               ellipticcurvelist_length < 1)
                                {
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;