From 4926c94a69c93379e5fccad595f158b73933c5d4 Mon Sep 17 00:00:00 2001
From: lloyd <lloyd@randombit.net>
Date: Tue, 30 Mar 2010 17:37:02 +0000
Subject: Instead of just discarding the extension size, confirm that the
 claimed length matches the length of the data left in the client hello
 packet.

---
 src/ssl/hello.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/ssl/hello.cpp b/src/ssl/hello.cpp
index 5c3b561ec..a23d51c24 100644
--- a/src/ssl/hello.cpp
+++ b/src/ssl/hello.cpp
@@ -130,7 +130,10 @@ void Client_Hello::deserialize(const MemoryRegion<byte>& buf)
 
    if(reader.has_remaining())
       {
-      reader.discard_next(2); // the extension size; we just read to end
+      const u16bit all_extn_size = reader.get_u16bit();
+
+      if(reader.remaining_bytes() != all_extn_size)
+         throw Decoding_Error("Client_Hello: Bad extension size");
 
       while(reader.has_remaining())
          {
-- 
cgit v1.2.3