Commit b0873dbb authored by Adam Langley's avatar Adam Langley Committed by Emilia Kasper
Browse files

RT3060: Limit the number of empty records. 



Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: default avatarBodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a8)
parent 48ae65be

ssl/s3_pkt.c

+18 −1
Original line number Diff line number Diff line
@@ -272,6 +272,12 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) 
	return(n);

	}



/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will

 * be processed per call to ssl3_get_record. Without this limit an attacker

 * could send empty records at a faster rate than we can process and cause

 * ssl3_get_record to loop forever. */

#define MAX_EMPTY_RECORDS 32



/* Call this to get a new input record.

 * It will return <= 0 if more data is needed, normally due to an error

 * or non-blocking IO.
@@ -292,6 +298,7 @@ static int ssl3_get_record(SSL *s) 
	short version;

	unsigned mac_size, orig_len;

	size_t extra;

	unsigned empty_record_count = 0;



	rr= &(s->s3->rrec);

	sess=s->session;
@@ -522,7 +529,17 @@ printf("\n"); 
	s->packet_length=0;



	/* just read a 0 length packet */

	if (rr->length == 0) goto again;

	if (rr->length == 0)

		{

		empty_record_count++;

		if (empty_record_count > MAX_EMPTY_RECORDS)

			{

			al=SSL_AD_UNEXPECTED_MESSAGE;

			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL);

			goto f_err;

			}

		goto again;

		}



#if 0

fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, rr->length);