Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681)
This commit is contained in:
Ben Laurie
committed by
Dr. Stephen Henson
Dr. Stephen Henson
parent
fb0a59cc58
commit
e0da2c2ed2
@@ -401,8 +401,13 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
|
||||
|
||||
/* decrypt in place in 'rr->input' */
|
||||
rr->data=rr->input;
|
||||
rr->orig_len=rr->length;
|
||||
|
||||
enc_err = s->method->ssl3_enc->enc(s,0);
|
||||
/* enc_err is:
|
||||
* 0: (in non-constant time) if the record is publically invalid.
|
||||
* 1: if the padding is valid
|
||||
* -1: if the padding is invalid */
|
||||
if (enc_err == 0)
|
||||
{
|
||||
/* SSLerr() and ssl3_send_alert() have been called */
|
||||
|
||||
Reference in New Issue
Block a user