mirror of https://github.com/wolfSSL/wolfssl.git
DTLS Handshake Message CAP
Cap the incoming DTLS handshake messages size the same way we do for TLS. If handshake messages claim to be larger than the largest allowed certificate message, we error out.pull/2687/head
parent
feeb18600f
commit
ef6938d2bc
|
@ -12359,6 +12359,14 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||||
return PARSE_ERROR;
|
return PARSE_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Cap the maximum size of a handshake message to something reasonable.
|
||||||
|
* By default is the maximum size of a certificate message assuming
|
||||||
|
* nine 2048-bit RSA certificates in the chain. */
|
||||||
|
if (size > MAX_HANDSHAKE_SZ) {
|
||||||
|
WOLFSSL_MSG("Handshake message too large");
|
||||||
|
return HANDSHAKE_SIZE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
/* check that we have complete fragment */
|
/* check that we have complete fragment */
|
||||||
if (*inOutIdx + fragSz > totalSz) {
|
if (*inOutIdx + fragSz > totalSz) {
|
||||||
WOLFSSL_ERROR(INCOMPLETE_DATA);
|
WOLFSSL_ERROR(INCOMPLETE_DATA);
|
||||||
|
|
Loading…
Reference in New Issue