diff options
| author | Matt Caswell <matt@openssl.org> | 2015-09-23 12:57:34 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2015-09-23 13:53:27 +0100 |
| commit | 373dc6e196835c06f31ff34cd188471f296126c1 (patch) | |
| tree | 53abd0fdca88991b382a0d95351283943ff5a738 /ssl | |
| parent | 468f043ece0e7e262ee6166ae6ec1f7683d82220 (diff) | |
Sanity check cookie_len
Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/d1_lib.c | 3 | ||||
| -rw-r--r-- | ssl/d1_srvr.c | 5 |
2 files changed, 5 insertions, 3 deletions
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 8a8ced8abb..4bdf90a657 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client) /* Generate the cookie */ if (s->ctx->app_gen_cookie_cb == NULL || - s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) { + s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 || + cookielen > 255) { SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); /* This is fatal */ return -1; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 8aa1ebaa4b..e32c4c1013 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -888,9 +888,10 @@ int dtls1_send_hello_verify_request(SSL *s) if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0) { + &(s->d1->cookie_len)) == 0 || + s->d1->cookie_len > 255) { SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, - ERR_R_INTERNAL_ERROR); + SSL_R_COOKIE_GEN_CALLBACK_FAILURE); s->state = SSL_ST_ERR; return 0; } |