From 4926c94a69c93379e5fccad595f158b73933c5d4 Mon Sep 17 00:00:00 2001 From: lloyd <lloyd@randombit.net> Date: Tue, 30 Mar 2010 17:37:02 +0000 Subject: Instead of just discarding the extension size, confirm that the claimed length matches the length of the data left in the client hello packet. --- src/ssl/hello.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/ssl/hello.cpp b/src/ssl/hello.cpp index 5c3b561ec..a23d51c24 100644 --- a/src/ssl/hello.cpp +++ b/src/ssl/hello.cpp @@ -130,7 +130,10 @@ void Client_Hello::deserialize(const MemoryRegion<byte>& buf) if(reader.has_remaining()) { - reader.discard_next(2); // the extension size; we just read to end + const u16bit all_extn_size = reader.get_u16bit(); + + if(reader.remaining_bytes() != all_extn_size) + throw Decoding_Error("Client_Hello: Bad extension size"); while(reader.has_remaining()) { -- cgit v1.2.3