Check length before reading handshake header

commit: 9d1d7196e41cad6743f3e6f6a4b108a544e02429 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Sep 03 11:01:14 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:30:24 2014 +0200
tree: 9c0381399dec74c0a078eb6b278c1b16445e90df
parent: d9ba0d96b6e47614a565df766c07fa8fcf6393a7 [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 7b47766..5dd690b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -2338,10 +2338,16 @@
 
 static int ssl_prepare_handshake_record( ssl_context *ssl )
 {
-    ssl->in_hslen  = ssl->transport == SSL_TRANSPORT_DATAGRAM ? 12 : 4;
-    ssl->in_hslen += ( ssl->in_msg[1] << 16 ) |
-                     ( ssl->in_msg[2] << 8  ) |
-                       ssl->in_msg[3];
+    if( ssl->in_msglen < ssl_hs_hdr_len( ssl ) )
+    {
+        SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
+                            ssl->in_msglen ) );
+    }
+
+    ssl->in_hslen = ssl_hs_hdr_len( ssl ) + (
+                    ( ssl->in_msg[1] << 16 ) |
+                    ( ssl->in_msg[2] << 8  ) |
+                      ssl->in_msg[3] );
 
     SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
                         " %d, type = %d, hslen = %d",
commit	9d1d7196e41cad6743f3e6f6a4b108a544e02429	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Sep 03 11:01:14 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Tue Oct 21 16:30:24 2014 +0200
tree	9c0381399dec74c0a078eb6b278c1b16445e90df
parent	d9ba0d96b6e47614a565df766c07fa8fcf6393a7 [diff] [blame]