Commit 373dc6e1 authored by Matt Caswell's avatar Matt Caswell
Browse files

Sanity check cookie_len 



Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
parent 468f043e

ssl/d1_lib.c

+2 −1
Original line number Diff line number Diff line
@@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client) 


            /* Generate the cookie */

            if (s->ctx->app_gen_cookie_cb == NULL ||

                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) {

                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||

                cookielen > 255) {

                SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);

                /* This is fatal */

                return -1;

ssl/d1_srvr.c

+3 −2
Original line number Diff line number Diff line
@@ -888,9 +888,10 @@ int dtls1_send_hello_verify_request(SSL *s) 


        if (s->ctx->app_gen_cookie_cb == NULL ||

            s->ctx->app_gen_cookie_cb(s, s->d1->cookie,

                                      &(s->d1->cookie_len)) == 0) {

                                      &(s->d1->cookie_len)) == 0 ||

            s->d1->cookie_len > 255) {

            SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,

                   ERR_R_INTERNAL_ERROR);

                   SSL_R_COOKIE_GEN_CALLBACK_FAILURE);

            s->state = SSL_ST_ERR;

            return 0;

        }