From 0af5265180877f4e8fbf8f1d9f2999b3fd2205d3 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Fri, 20 Jan 2017 21:23:10 +0100 Subject: [PATCH] tls: check size on "MAC-only, no crypt" code path too Signed-off-by: Denys Vlasenko --- networking/tls.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/networking/tls.c b/networking/tls.c index fb49b1523..80e3bc662 100644 --- a/networking/tls.c +++ b/networking/tls.c @@ -810,14 +810,15 @@ static int tls_xread_record(tls_state_t *tls) dbg("encrypted size:%u type:0x%02x padding_length:0x%02x\n", sz, p[0], padding_len); padding_len++; sz -= SHA256_OUTSIZE + padding_len; /* drop MAC and padding */ - if (sz < 0) { - bb_error_msg_and_die("bad padding size:%u", padding_len); - } + //if (sz < 0) + // bb_error_msg_and_die("bad padding size:%u", padding_len); } else { /* if nonzero, then it's TLS_RSA_WITH_NULL_SHA256: drop MAC */ /* else: no encryption yet on input, subtract zero = NOP */ sz -= tls->min_encrypted_len_on_read; } + if (sz < 0) + bb_error_msg_and_die("encrypted data too short"); //dump_hex("<< %s\n", tls->inbuf, RECHDR_LEN + sz);