diff options
| author | jsing <> | 2021-06-29 18:43:49 +0000 |
|---|---|---|
| committer | jsing <> | 2021-06-29 18:43:49 +0000 |
| commit | 2c28b99d5412d4f0a9fafb41d10ebe8fe29a9bba (patch) | |
| tree | 3c9ef5351cd8523f2c2940c31bce0891bdeb6299 /src | |
| parent | 6857d4ed651ee645ce77533bbc9b522e5821bc97 (diff) | |
| download | openbsd-2c28b99d5412d4f0a9fafb41d10ebe8fe29a9bba.tar.gz openbsd-2c28b99d5412d4f0a9fafb41d10ebe8fe29a9bba.tar.bz2 openbsd-2c28b99d5412d4f0a9fafb41d10ebe8fe29a9bba.zip | |
Reject zero-length non-application data fragments in the legacy stack.
Per RFC 5246 section 6.2.1, zero-length fragments are only permitted for
application data - reject all others.
Reported via GitHub issue #675.
ok inoguchi@ tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_pkt.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c index e959ccaf2f..7f655adfe6 100644 --- a/src/lib/libssl/ssl_pkt.c +++ b/src/lib/libssl/ssl_pkt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_pkt.c,v 1.44 2021/06/13 15:34:41 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_pkt.c,v 1.45 2021/06/29 18:43:49 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -430,6 +430,16 @@ ssl3_get_record(SSL *s) | |||
| 430 | 430 | ||
| 431 | if (rr->length == 0) { | 431 | if (rr->length == 0) { |
| 432 | /* | 432 | /* |
| 433 | * Zero-length fragments are only permitted for application | ||
| 434 | * data, as per RFC 5246 section 6.2.1. | ||
| 435 | */ | ||
| 436 | if (rr->type != SSL3_RT_APPLICATION_DATA) { | ||
| 437 | SSLerror(s, SSL_R_BAD_LENGTH); | ||
| 438 | al = SSL_AD_UNEXPECTED_MESSAGE; | ||
| 439 | goto fatal_err; | ||
| 440 | } | ||
| 441 | |||
| 442 | /* | ||
| 433 | * CBC countermeasures for known IV weaknesses can legitimately | 443 | * CBC countermeasures for known IV weaknesses can legitimately |
| 434 | * insert a single empty record, so we allow ourselves to read | 444 | * insert a single empty record, so we allow ourselves to read |
| 435 | * once past a single empty record without forcing want_read. | 445 | * once past a single empty record without forcing want_read. |