commit c988f32adde62a169ba340fee0da15aecd40e76e
author Simon Butcher <simon.butcher@arm.com> Tue Sep 29 23:27:20 2015 +0100
committer Simon Butcher <simon.butcher@arm.com> Tue Sep 29 23:27:20 2015 +0100
tree ace30999a6629e0aa05e83256b053836fa21fc1e
parent 21823f9a69d22f4cc5eb17493a1b6dbd889a24c8

Added max length checking of hostname

include/polarssl/ssl.h

diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 1f9f8be..0d84663 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -198,6 +198,8 @@
 #endif /* POLARSSL_SSL_PROTO_TLS1_1 */
 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
 
+#define SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
+
 /* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
  * NONE must be zero so that memset()ing structure to zero works */
 #define SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 96e867b..0a7fee1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4148,6 +4148,9 @@
     if( ssl->hostname_len + 1 == 0 )
         return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
 
+    if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     ssl->hostname = polarssl_malloc( ssl->hostname_len + 1 );
 
     if( ssl->hostname == NULL )