Sanity check cookie_len

Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: Andy Polyakov <appro@openssl.org>

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 8a8ced8abb9ff0fdbc735fff4a4b44d1ddcda128..4bdf90a6575ffa8c6d2ac455589288df22594fb6 100644 (file)
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client)
 
             /* Generate the cookie */
             if (s->ctx->app_gen_cookie_cb == NULL ||
-                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) {
+                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
+                cookielen > 255) {
                 SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
                 /* This is fatal */
                 return -1;

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 8aa1ebaa4bf2080ce3716a73834f5919f21d6858..e32c4c10137217c0e7704d38e655aea6949b3e2d 100644 (file)
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -888,9 +888,10 @@ int dtls1_send_hello_verify_request(SSL *s)
 
         if (s->ctx->app_gen_cookie_cb == NULL ||
             s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
-                                      &(s->d1->cookie_len)) == 0) {
+                                      &(s->d1->cookie_len)) == 0 ||
+            s->d1->cookie_len > 255) {
             SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
-                   ERR_R_INTERNAL_ERROR);
+                   SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
             s->state = SSL_ST_ERR;
             return 0;
         }