aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2011-12-31 04:14:11 +0000
committerlloyd <[email protected]>2011-12-31 04:14:11 +0000
commit2b266b5fae7e8d8bb346019daf7211da83c597f7 (patch)
tree24403d3ce51d7c81500978db9a348dfb3034a245
parentb1a36938a25baf867123c1d6619d191e089135ff (diff)
A bad decrypt on a TLS 1.0/1.1 message would cause a mostly infinite
loop (size_t overflow), likely causing a segfault. Not exploitable as far as I can tell, beyond the obvious crashing.
-rw-r--r--src/ssl/rec_read.cpp7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/ssl/rec_read.cpp b/src/ssl/rec_read.cpp
index 4e5b69780..7e295f8a4 100644
--- a/src/ssl/rec_read.cpp
+++ b/src/ssl/rec_read.cpp
@@ -213,9 +213,14 @@ size_t Record_Reader::get_record(byte& msg_type,
}
else
{
+ bool padding_good = true;
+
for(size_t i = 0; i != pad_size; ++i)
if(plaintext[plaintext.size()-i-1] != pad_value)
- pad_size = 0;
+ padding_good = false;
+
+ if(!padding_good)
+ pad_size = 0;
}
}