Commit 99bb59d9 authored by Philippe Antoine's avatar Philippe Antoine Committed by Rich Salz
Browse files

Checks ec_points_format extension size 



Before reading first byte as length

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5410)
parent a25e2d49

ssl/t1_lib.c

+13 −2
Original line number Diff line number Diff line
@@ -2284,8 +2284,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, 
# ifndef OPENSSL_NO_EC

        else if (type == TLSEXT_TYPE_ec_point_formats) {

            unsigned char *sdata = data;

            int ecpointformatlist_length = *(sdata++);

            int ecpointformatlist_length;



            if (size == 0) {

                goto err;

            }



            ecpointformatlist_length = *(sdata++);

            if (ecpointformatlist_length != size - 1 ||

                ecpointformatlist_length < 1)

                goto err;
@@ -2711,8 +2716,14 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, 
# ifndef OPENSSL_NO_EC

        else if (type == TLSEXT_TYPE_ec_point_formats) {

            unsigned char *sdata = data;

            int ecpointformatlist_length = *(sdata++);

            int ecpointformatlist_length;



            if (size == 0) {

                *al = TLS1_AD_DECODE_ERROR;

                return 0;

            }



            ecpointformatlist_length = *(sdata++);

            if (ecpointformatlist_length != size - 1) {

                *al = TLS1_AD_DECODE_ERROR;

                return 0;