Fix potential bad read of length

commit: f7cdbc0e87fd6a8151165ec51d3c4b01ab77b256 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Oct 17 17:02:10 2014 +0200
committer: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Oct 17 17:02:10 2014 +0200
tree: f51ae2e1f2416cfc02202daa557f20984416bffc
parent: ef9a6aec5158d46382e43d5d6f4a853e37794f0b [diff] [blame]
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 38f9fe7..27abb3e 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -875,7 +875,7 @@
 {
     int ret, i, comp;
     size_t n;
-    size_t ext_len = 0;
+    size_t ext_len;
     unsigned char *buf, *ext;
     int renegotiation_info_seen = 0;
     int handshake_failure = 0;
@@ -981,7 +981,7 @@
      *   42+n . 43+n  extensions length
      *   44+n . 44+n+m extensions
      */
-    if( ssl->in_hslen > 42 + n )
+    if( ssl->in_hslen > 43 + n )
     {
         ext_len = ( ( buf[42 + n] <<  8 )
                   | ( buf[43 + n]       ) );
@@ -993,6 +993,15 @@
             return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
         }
     }
+    else if( ssl->in_hslen == 42 + n )
+    {
+        ext_len = 0;
+    }
+    else
+    {
+        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
 
     i = ( buf[39 + n] << 8 ) | buf[40 + n];
     comp = buf[41 + n];
commit	f7cdbc0e87fd6a8151165ec51d3c4b01ab77b256	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Fri Oct 17 17:02:10 2014 +0200
committer	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Fri Oct 17 17:02:10 2014 +0200
tree	f51ae2e1f2416cfc02202daa557f20984416bffc
parent	ef9a6aec5158d46382e43d5d6f4a853e37794f0b [diff] [blame]