Don't crash when processing a zero-length, TLS >= 1.1 record.

The previous CBC patch was bugged in that there was a path through enc() in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left at the previous value which could suggest that the packet was a sufficient length when it wasn't.
author: Ben Laurie <ben@links.org> 2013-01-28 17:33:18 +0000
committer: Ben Laurie <ben@links.org> 2013-01-28 17:33:18 +0000
commit: 6cb19b7681f600b2f165e4adc57547b097b475fd (patch)
tree: f0bf30e675c0bbaa29be28db7febd92f1a678936 /ssl/s3_pkt.c
parent: e130841bccfc0bb9da254dc84e23bc6a1c78a64e (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 57a0b74556..dd98e698bf 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -399,8 +399,13 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
+	rr->orig_len=rr->length;
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
+	/* enc_err is:
+	 *    0: (in non-constant time) if the record is publically invalid.
+	 *    1: if the padding is valid
+	 *    -1: if the padding is invalid */
 	if (enc_err == 0)
 		{
 		/* SSLerr() and ssl3_send_alert() have been called */
author	Ben Laurie <ben@links.org>	2013-01-28 17:33:18 +0000
committer	Ben Laurie <ben@links.org>	2013-01-28 17:33:18 +0000
commit	6cb19b7681f600b2f165e4adc57547b097b475fd (patch)
tree	f0bf30e675c0bbaa29be28db7febd92f1a678936 /ssl/s3_pkt.c
parent	e130841bccfc0bb9da254dc84e23bc6a1c78a64e (diff)