aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-02-16 22:22:03 -0500
committerJack Lloyd <[email protected]>2016-02-16 22:22:03 -0500
commite8700f6f6062fd769dea267646f9ac951de90a05 (patch)
treea8a832334b784f2909125ec36dd1d5a0378abe66 /src
parentc8d8c19861efc74e0e238f3f9c165362fd87467b (diff)
Reject zero length TLS records out of hand.
Later checks on the record length in CCS and record handling already rejected a zero length record but when reading an empty record, readbuf.size() == TLS_HEADER_SIZE and so creating the pointer byte* record_contents = &readbuf[TLS_HEADER_SIZE]; would trigger when running under (at least) GCC'S iterator debugging, and likely other iterator checkers also. Since no completely empty record is defined, reject it immediately at the record layer. Found by Juraj Somorovsky Also correct DTLS record handling for large messages: a zero length or too-long packet should be dropped rather than an exception being thrown.
Diffstat (limited to 'src')
-rw-r--r--src/lib/tls/tls_record.cpp15
1 files changed, 11 insertions, 4 deletions
diff --git a/src/lib/tls/tls_record.cpp b/src/lib/tls/tls_record.cpp
index e38b26547..bdb37baad 100644
--- a/src/lib/tls/tls_record.cpp
+++ b/src/lib/tls/tls_record.cpp
@@ -456,7 +456,11 @@ size_t read_tls_record(secure_vector<byte>& readbuf,
if(record_len > MAX_CIPHERTEXT_SIZE)
throw TLS_Exception(Alert::RECORD_OVERFLOW,
- "Got message that exceeds maximum size");
+ "Received a record that exceeds maximum size");
+
+ if(record_len == 0)
+ throw TLS_Exception(Alert::DECODE_ERROR,
+ "Received a completely empty record");
if(size_t needed = fill_buffer_to(readbuf,
input, input_sz, consumed,
@@ -543,9 +547,12 @@ size_t read_dtls_record(secure_vector<byte>& readbuf,
const size_t record_len = make_u16bit(readbuf[DTLS_HEADER_SIZE-2],
readbuf[DTLS_HEADER_SIZE-1]);
- if(record_len > MAX_CIPHERTEXT_SIZE)
- throw TLS_Exception(Alert::RECORD_OVERFLOW,
- "Got message that exceeds maximum size");
+ // Invalid packet:
+ if(record_len == 0 || record_len > MAX_CIPHERTEXT_SIZE)
+ {
+ readbuf.clear();
+ return 0;
+ }
if(fill_buffer_to(readbuf, input, input_sz, consumed, DTLS_HEADER_SIZE + record_len))
{