Sanity check cookie_len

Add a sanity check that the cookie_len returned by app_gen_cookie_cb is valid. Reviewed-by: Andy Polyakov <appro@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-09-23 12:57:34 +0100
committer: Matt Caswell <matt@openssl.org> 2015-09-23 13:53:27 +0100
commit: 373dc6e196835c06f31ff34cd188471f296126c1 (patch)
tree: 53abd0fdca88991b382a0d95351283943ff5a738 /ssl/d1_lib.c
parent: 468f043ece0e7e262ee6166ae6ec1f7683d82220 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 8a8ced8abb..4bdf90a657 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client)
 
             /* Generate the cookie */
             if (s->ctx->app_gen_cookie_cb == NULL ||
-                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) {
+                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
+                cookielen > 255) {
                 SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
                 /* This is fatal */
                 return -1;
author	Matt Caswell <matt@openssl.org>	2015-09-23 12:57:34 +0100
committer	Matt Caswell <matt@openssl.org>	2015-09-23 13:53:27 +0100
commit	373dc6e196835c06f31ff34cd188471f296126c1 (patch)
tree	53abd0fdca88991b382a0d95351283943ff5a738 /ssl/d1_lib.c
parent	468f043ece0e7e262ee6166ae6ec1f7683d82220 (diff)