Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.

ok tb@
author: jsing <> 2022-09-11 13:50:41 +0000
committer: jsing <> 2022-09-11 13:50:41 +0000
commit: c79da7df7157a30235d61ba0217edf5ceaea5f53 (patch)
tree: dffe5174649affd8ab06e8f959b7c7a7f9b97820
parent: d285e298bd2f5e4b7ea20f8623d14258b0071d07 (diff)
download: openbsd-c79da7df7157a30235d61ba0217edf5ceaea5f53.tar.gz
openbsd-c79da7df7157a30235d61ba0217edf5ceaea5f53.tar.bz2
openbsd-c79da7df7157a30235d61ba0217edf5ceaea5f53.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index ac5b83bd34..423b405cbd 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.70 2022/07/24 14:28:16 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -850,6 +850,8 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
                        return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
                if (ccs != 1)
                        return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
+                if (CBS_len(&cbs) != 0)
+                        return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
                rl->ccs_seen++;
                tls13_record_layer_rrec_free(rl);
                return TLS13_IO_WANT_RETRY;
author	jsing <>	2022-09-11 13:50:41 +0000
committer	jsing <>	2022-09-11 13:50:41 +0000
commit	c79da7df7157a30235d61ba0217edf5ceaea5f53 (patch)
tree	dffe5174649affd8ab06e8f959b7c7a7f9b97820
parent	d285e298bd2f5e4b7ea20f8623d14258b0071d07 (diff)
download	openbsd-c79da7df7157a30235d61ba0217edf5ceaea5f53.tar.gz openbsd-c79da7df7157a30235d61ba0217edf5ceaea5f53.tar.bz2 openbsd-c79da7df7157a30235d61ba0217edf5ceaea5f53.zip