diff --git a/ChangeLog b/ChangeLog index 83613b906..a174aebc8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ Security * Forbid sequence number wrapping * Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft) + * Fix length checking for AEAD ciphersuites (found by Codenomicon). + It was possible to crash the server (and client) using crafted messages + when a GCM suite was chosen. Bugfix * Fixed X.509 hostname comparison (with non-regular characters) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4add6a280..bad3188b9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1254,6 +1254,9 @@ static int ssl_decrypt_buf( ssl_context *ssl ) size_t dec_msglen; unsigned char add_data[13]; int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE; + unsigned char taglen = 16; + unsigned char explicit_iv_len = ssl->transform_in->ivlen - + ssl->transform_in->fixed_ivlen; #if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C) if( ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_128_GCM_SHA256 || @@ -1261,11 +1264,16 @@ static int ssl_decrypt_buf( ssl_context *ssl ) ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 || ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ) { - dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen - - ssl->transform_in->fixed_ivlen ); - dec_msglen -= 16; - dec_msg = ssl->in_msg + ( ssl->transform_in->ivlen - - ssl->transform_in->fixed_ivlen ); + if( ssl->in_msglen < explicit_iv_len + taglen ) + { + SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) " + "+ taglen (%d)", ssl->in_msglen, + explicit_iv_len, taglen ) ); + return( POLARSSL_ERR_SSL_INVALID_MAC ); + } + dec_msglen = ssl->in_msglen - explicit_iv_len - taglen; + + dec_msg = ssl->in_msg + explicit_iv_len; dec_msg_result = ssl->in_msg; ssl->in_msglen = dec_msglen;