- Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST)

2024-11-22 11:25:42 +01:00 · 2012-04-05 12:07:34 +00:00 · 2012-04-05 12:07:34 +00:00 · 452d532955
commit 452d532955
parent 6126481796
2 changed files with 11 additions and 0 deletions
--- a/4
+++ b/4
@ -22,6 +22,10 @@ Bugfix
   * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
     Hui Dong)

+Security
+   * Fixed potential memory corruption on miscrafted client messages (found by
+     Frama-C team at CEA LIST)
+
 = Version 1.1.1 released on 2012-01-23
 Bugfix
   * Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -880,6 +880,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
    /*
     * Always compute the MAC (RFC4346, CBCTIME).
     */
+    if( ssl->in_msglen <= ssl->maclen + padlen )
+    {
+        SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+                    ssl->in_msglen, ssl->maclen, padlen ) );
+        return( POLARSSL_ERR_SSL_INVALID_MAC );
+    }
+
    ssl->in_msglen -= ( ssl->maclen + padlen );

    ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );