diff options
author | Martin Willi <martin@revosec.ch> | 2014-03-21 09:29:44 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2014-03-31 15:56:12 +0200 |
commit | f93497507fbdfb3dfdfc2ca830a9ced73d86dab1 (patch) | |
tree | 6a7269db9b2d17f3cddd2f5e8d1145de2fd39308 /src/libtls | |
parent | b886dad49865c08c99e97652fe18666289f695d0 (diff) | |
download | strongswan-f93497507fbdfb3dfdfc2ca830a9ced73d86dab1.tar.bz2 strongswan-f93497507fbdfb3dfdfc2ca830a9ced73d86dab1.tar.xz |
tls: Check for minimal TLS record length before each record iteration
Fixes fragment reassembling if a buffer contains more than one record, but
the last record contains a partial TLS record header. Thanks to Nick Saunders
and Jamil Nimeh for identifying this issue and providing a fix for it.
Diffstat (limited to 'src/libtls')
-rw-r--r-- | src/libtls/tls.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/src/libtls/tls.c b/src/libtls/tls.c index 6b51e7593..7314602b6 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -218,14 +218,7 @@ METHOD(tls_t, process, status_t, { if (this->input.len == 0) { - if (buflen < sizeof(tls_record_t)) - { - DBG2(DBG_TLS, "received incomplete TLS record header"); - memcpy(&this->head, buf, buflen); - this->headpos = buflen; - break; - } - while (TRUE) + while (buflen >= sizeof(tls_record_t)) { /* try to process records inline */ record = buf; @@ -252,6 +245,13 @@ METHOD(tls_t, process, status_t, return NEED_MORE; } } + if (buflen < sizeof(tls_record_t)) + { + DBG2(DBG_TLS, "received incomplete TLS record header"); + memcpy(&this->head, buf, buflen); + this->headpos = buflen; + break; + } } len = min(buflen, this->input.len - this->inpos); memcpy(this->input.ptr + this->inpos, buf, len); |