WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

DTLS Handshake Message CAP 

Cap the incoming DTLS handshake messages size the same way we do for
TLS. If handshake messages claim to be larger than the largest allowed
certificate message, we error out.
pull/2687/head
John Safranek 2019-12-17 16:55:58 -08:00
parent feeb18600f
commit ef6938d2bc
No known key found for this signature in database
GPG Key ID: 8CE817DE0D3CCB4A
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/internal.c
View File

@ -12359,6 +12359,14 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return PARSE_ERROR; return PARSE_ERROR;
} }
/* Cap the maximum size of a handshake message to something reasonable.
* By default is the maximum size of a certificate message assuming
* nine 2048-bit RSA certificates in the chain. */
if (size > MAX_HANDSHAKE_SZ) {
WOLFSSL_MSG("Handshake message too large");
return HANDSHAKE_SIZE_ERROR;
}
/* check that we have complete fragment */ /* check that we have complete fragment */
if (*inOutIdx + fragSz > totalSz) { if (*inOutIdx + fragSz > totalSz) {
WOLFSSL_ERROR(INCOMPLETE_DATA); WOLFSSL_ERROR(INCOMPLETE_DATA);