diff options
| author | Jack Lloyd <[email protected]> | 2016-02-16 22:22:03 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-02-16 22:22:03 -0500 |
| commit | e8700f6f6062fd769dea267646f9ac951de90a05 (patch) | |
| tree | a8a832334b784f2909125ec36dd1d5a0378abe66 /src/lib | |
| parent | c8d8c19861efc74e0e238f3f9c165362fd87467b (diff) | |
Reject zero length TLS records out of hand.
Later checks on the record length in CCS and record handling already
rejected a zero length record but when reading an empty record,
readbuf.size() == TLS_HEADER_SIZE and so creating the pointer
byte* record_contents = &readbuf[TLS_HEADER_SIZE];
would trigger when running under (at least) GCC'S iterator debugging,
and likely other iterator checkers also.
Since no completely empty record is defined, reject it immediately at
the record layer.
Found by Juraj Somorovsky
Also correct DTLS record handling for large messages: a zero length or
too-long packet should be dropped rather than an exception being thrown.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/tls/tls_record.cpp | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp index e38b26547..bdb37baad 100644 --- a/src/lib/tls/tls_record.cpp +++ b/src/lib/tls/tls_record.cpp @@ -456,7 +456,11 @@ size_t read_tls_record(secure_vector<byte>& readbuf, if(record_len > MAX_CIPHERTEXT_SIZE) throw TLS_Exception(Alert::RECORD_OVERFLOW, - "Got message that exceeds maximum size"); + "Received a record that exceeds maximum size"); + + if(record_len == 0) + throw TLS_Exception(Alert::DECODE_ERROR, + "Received a completely empty record"); if(size_t needed = fill_buffer_to(readbuf, input, input_sz, consumed, @@ -543,9 +547,12 @@ size_t read_dtls_record(secure_vector<byte>& readbuf, const size_t record_len = make_u16bit(readbuf[DTLS_HEADER_SIZE-2], readbuf[DTLS_HEADER_SIZE-1]); - if(record_len > MAX_CIPHERTEXT_SIZE) - throw TLS_Exception(Alert::RECORD_OVERFLOW, - "Got message that exceeds maximum size"); + // Invalid packet: + if(record_len == 0 || record_len > MAX_CIPHERTEXT_SIZE) + { + readbuf.clear(); + return 0; + } if(fill_buffer_to(readbuf, input, input_sz, consumed, DTLS_HEADER_SIZE + record_len)) { |