From dc1caebca4d325d1d05fc082722782a2d2374cd6 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 26 May 2020 16:54:50 +0000
Subject: Add additional length checks for TLSv1.3 plaintext and inner
 plaintext.

Reminded by and ok beck@
---
 src/lib/libssl/tls13_record_layer.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 658a6d6a9e..70c440fee0 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.45 2020/05/23 11:57:41 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.46 2020/05/26 16:54:50 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -548,6 +548,9 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
 	    CBS_data(&header), CBS_len(&header)))
 		goto err;
 
+	if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN)
+		goto err;
+
 	if (!tls13_record_layer_inc_seq_num(rl->read_seq_num))
 		goto err;
 
@@ -562,6 +565,8 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl)
 		content_len--;
 	if (content_len < 0)
 		goto err;
+	if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN)
+		goto err;
 	content_type = content[content_len];
 
 	tls13_record_layer_rbuf_free(rl);
-- 
cgit v1.2.3-55-g6feb