diff options
| author | lloyd <[email protected]> | 2011-12-31 04:14:11 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2011-12-31 04:14:11 +0000 |
| commit | 2b266b5fae7e8d8bb346019daf7211da83c597f7 (patch) | |
| tree | 24403d3ce51d7c81500978db9a348dfb3034a245 /src | |
| parent | b1a36938a25baf867123c1d6619d191e089135ff (diff) | |
A bad decrypt on a TLS 1.0/1.1 message would cause a mostly infinite
loop (size_t overflow), likely causing a segfault. Not exploitable as
far as I can tell, beyond the obvious crashing.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ssl/rec_read.cpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/ssl/rec_read.cpp b/src/ssl/rec_read.cpp index 4e5b69780..7e295f8a4 100644 --- a/src/ssl/rec_read.cpp +++ b/src/ssl/rec_read.cpp @@ -213,9 +213,14 @@ size_t Record_Reader::get_record(byte& msg_type, } else { + bool padding_good = true; + for(size_t i = 0; i != pad_size; ++i) if(plaintext[plaintext.size()-i-1] != pad_value) - pad_size = 0; + padding_good = false; + + if(!padding_good) + pad_size = 0; } } |