Add compile-time checks for size of record content and payload

2024-11-23 07:45:43 +01:00 · 2017-09-18 10:54:39 +01:00 · 2017-09-18 10:54:39 +01:00 · 6499bedfa8
commit 6499bedfa8
parent 41a38dfed6
1 changed files with 24 additions and 5 deletions
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -24,6 +24,7 @@
 #define MBEDTLS_SSL_INTERNAL_H

 #include "ssl.h"
+#include "cipher.h"

 #if defined(MBEDTLS_MD5_C)
 #include "md5.h"
@ -134,13 +135,31 @@
 #define MBEDTLS_SSL_PADDING_ADD              0
 #endif

-#define MBEDTLS_SSL_BUFFER_LEN  ( MBEDTLS_SSL_MAX_CONTENT_LEN               \
-                        + MBEDTLS_SSL_COMPRESSION_ADD               \
-                        + 29 /* counter + header + IV */    \
-                        + MBEDTLS_SSL_MAC_ADD                       \
-                        + MBEDTLS_SSL_PADDING_ADD                   \
+#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN    \
+                        + MBEDTLS_SSL_COMPRESSION_ADD            \
+                        + MBEDTLS_MAX_IV_LENGTH                  \
+                        + MBEDTLS_SSL_MAC_ADD                    \
+                        + MBEDTLS_SSL_PADDING_ADD                \
                        )

+/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
+#error Bad configuration - record content too large.
+#endif
+
+#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048
+#error Bad configuration - protected record payload too large.
+#endif
+
+#define MBEDTLS_SSL_BUFFER_LEN  ( MBEDTLS_SSL_PAYLOAD_LEN        \
+                        + 5 /* TLS record header      */         \
+                        + 8 /* Additional DTLS fields */         \
+                        )
+
+
 /*
 * TLS extension flags (for extensions with outgoing ServerHello content
 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because