diff options
Diffstat (limited to 'src/lib/libssl/d1_both.c')
| -rw-r--r-- | src/lib/libssl/d1_both.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 72b3b20ae4..e4b718efa7 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c | |||
| @@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s) | |||
| 1459 | unsigned int payload; | 1459 | unsigned int payload; |
| 1460 | unsigned int padding = 16; /* Use minimum padding */ | 1460 | unsigned int padding = 16; /* Use minimum padding */ |
| 1461 | 1461 | ||
| 1462 | /* Read type and payload length first */ | ||
| 1463 | hbtype = *p++; | ||
| 1464 | n2s(p, payload); | ||
| 1465 | pl = p; | ||
| 1466 | |||
| 1467 | if (s->msg_callback) | 1462 | if (s->msg_callback) |
| 1468 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, | 1463 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, |
| 1469 | &s->s3->rrec.data[0], s->s3->rrec.length, | 1464 | &s->s3->rrec.data[0], s->s3->rrec.length, |
| 1470 | s, s->msg_callback_arg); | 1465 | s, s->msg_callback_arg); |
| 1471 | 1466 | ||
| 1467 | /* Read type and payload length first */ | ||
| 1468 | if (1 + 2 + 16 > s->s3->rrec.length) | ||
| 1469 | return 0; /* silently discard */ | ||
| 1470 | hbtype = *p++; | ||
| 1471 | n2s(p, payload); | ||
| 1472 | if (1 + 2 + payload + 16 > s->s3->rrec.length) | ||
| 1473 | return 0; /* silently discard per RFC 6520 sec. 4 */ | ||
| 1474 | pl = p; | ||
| 1475 | |||
| 1472 | if (hbtype == TLS1_HB_REQUEST) | 1476 | if (hbtype == TLS1_HB_REQUEST) |
| 1473 | { | 1477 | { |
| 1474 | unsigned char *buffer, *bp; | 1478 | unsigned char *buffer, *bp; |
| 1479 | unsigned int write_length = 1 /* heartbeat type */ + | ||
| 1480 | 2 /* heartbeat length */ + | ||
| 1481 | payload + padding; | ||
| 1475 | int r; | 1482 | int r; |
| 1476 | 1483 | ||
| 1484 | if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) | ||
| 1485 | return 0; | ||
| 1486 | |||
| 1477 | /* Allocate memory for the response, size is 1 byte | 1487 | /* Allocate memory for the response, size is 1 byte |
| 1478 | * message type, plus 2 bytes payload length, plus | 1488 | * message type, plus 2 bytes payload length, plus |
| 1479 | * payload, plus padding | 1489 | * payload, plus padding |
| 1480 | */ | 1490 | */ |
| 1481 | buffer = OPENSSL_malloc(1 + 2 + payload + padding); | 1491 | buffer = OPENSSL_malloc(write_length); |
| 1482 | bp = buffer; | 1492 | bp = buffer; |
| 1483 | 1493 | ||
| 1484 | /* Enter response type, length and copy payload */ | 1494 | /* Enter response type, length and copy payload */ |
| @@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s) | |||
| 1489 | /* Random padding */ | 1499 | /* Random padding */ |
| 1490 | RAND_pseudo_bytes(bp, padding); | 1500 | RAND_pseudo_bytes(bp, padding); |
| 1491 | 1501 | ||
| 1492 | r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); | 1502 | r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); |
| 1493 | 1503 | ||
| 1494 | if (r >= 0 && s->msg_callback) | 1504 | if (r >= 0 && s->msg_callback) |
| 1495 | s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, | 1505 | s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, |
| 1496 | buffer, 3 + payload + padding, | 1506 | buffer, write_length, |
| 1497 | s, s->msg_callback_arg); | 1507 | s, s->msg_callback_arg); |
| 1498 | 1508 | ||
| 1499 | OPENSSL_free(buffer); | 1509 | OPENSSL_free(buffer); |