Add length checks in parse_certificate_verify()

commit: 5ee96546debc408355fefa9018f3ea2bfdb6cab7 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Sep 10 14:27:21 2014 +0000
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:30:32 2014 +0200
tree: 12f6d83577d142e2956294c88959c844d3b1b983
parent: 72226214b1503bf649a949e85cd6eddb5aaf958a [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index b31cc23..c839ea7 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -3330,6 +3330,12 @@
 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
     {
+        if( i + 2 > ssl->in_hslen )
+        {
+            SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
         /*
          * Hash
          */
@@ -3376,6 +3382,12 @@
         return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
     }
 
+    if( i + 2 > ssl->in_hslen )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
     sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
     i += 2;
commit	5ee96546debc408355fefa9018f3ea2bfdb6cab7	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Sep 10 14:27:21 2014 +0000
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Oct 21 16:30:32 2014 +0200
tree	12f6d83577d142e2956294c88959c844d3b1b983
parent	72226214b1503bf649a949e85cd6eddb5aaf958a [diff] [blame]