- Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST)

commit: 452d53295599c310a64d4dcaa8f8ebefdbcae78c [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Thu Apr 05 12:07:34 2012 +0000
committer: Paul Bakker <p.j.bakker@polarssl.org> Thu Apr 05 12:07:34 2012 +0000
tree: 28df5a3617c459ca388925c6e82cbb9fed555cff
parent: 61264817960d0eae6e08d7d8dc2b55dbfa0788af [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index bbe8388..64012e5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -880,6 +880,13 @@
     /*
      * Always compute the MAC (RFC4346, CBCTIME).
      */
+    if( ssl->in_msglen <= ssl->maclen + padlen )
+    {
+        SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+                    ssl->in_msglen, ssl->maclen, padlen ) );
+        return( POLARSSL_ERR_SSL_INVALID_MAC );
+    }
+
     ssl->in_msglen -= ( ssl->maclen + padlen );
 
     ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
commit	452d53295599c310a64d4dcaa8f8ebefdbcae78c	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Thu Apr 05 12:07:34 2012 +0000
committer	Paul Bakker <p.j.bakker@polarssl.org>	Thu Apr 05 12:07:34 2012 +0000
tree	28df5a3617c459ca388925c6e82cbb9fed555cff
parent	61264817960d0eae6e08d7d8dc2b55dbfa0788af [diff] [blame]