diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-01-20 21:23:10 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-01-20 21:23:10 +0100 |
| commit | 0af5265180877f4e8fbf8f1d9f2999b3fd2205d3 (patch) | |
| tree | ced2821d729e10bfeef9101143fa0f412400cd26 /networking/tls.c | |
| parent | 54b927d78bfdac54873513fb1dd992a7758d29c8 (diff) | |
| download | busybox-w32-0af5265180877f4e8fbf8f1d9f2999b3fd2205d3.tar.gz busybox-w32-0af5265180877f4e8fbf8f1d9f2999b3fd2205d3.tar.bz2 busybox-w32-0af5265180877f4e8fbf8f1d9f2999b3fd2205d3.zip | |
tls: check size on "MAC-only, no crypt" code path too
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'networking/tls.c')
| -rw-r--r-- | networking/tls.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/networking/tls.c b/networking/tls.c index fb49b1523..80e3bc662 100644 --- a/networking/tls.c +++ b/networking/tls.c | |||
| @@ -810,14 +810,15 @@ static int tls_xread_record(tls_state_t *tls) | |||
| 810 | dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len); | 810 | dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len); |
| 811 | padding_len++; | 811 | padding_len++; |
| 812 | sz -= SHA256_OUTSIZE + padding_len; /* drop MAC and padding */ | 812 | sz -= SHA256_OUTSIZE + padding_len; /* drop MAC and padding */ |
| 813 | if (sz < 0) { | 813 | //if (sz < 0) |
| 814 | bb_error_msg_and_die("bad padding size:%u", padding_len); | 814 | // bb_error_msg_and_die("bad padding size:%u", padding_len); |
| 815 | } | ||
| 816 | } else { | 815 | } else { |
| 817 | /* if nonzero, then it's TLS_RSA_WITH_NULL_SHA256: drop MAC */ | 816 | /* if nonzero, then it's TLS_RSA_WITH_NULL_SHA256: drop MAC */ |
| 818 | /* else: no encryption yet on input, subtract zero = NOP */ | 817 | /* else: no encryption yet on input, subtract zero = NOP */ |
| 819 | sz -= tls->min_encrypted_len_on_read; | 818 | sz -= tls->min_encrypted_len_on_read; |
| 820 | } | 819 | } |
| 820 | if (sz < 0) | ||
| 821 | bb_error_msg_and_die("encrypted data too short"); | ||
| 821 | 822 | ||
| 822 | //dump_hex("<< %s\n", tls->inbuf, RECHDR_LEN + sz); | 823 | //dump_hex("<< %s\n", tls->inbuf, RECHDR_LEN + sz); |
| 823 | 824 | ||