Validate ClientHello extension field length

RT#4069 Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
author: Alessandro Ghedini <alessandro@ghedini.me> 2015-10-02 13:43:29 +0200
committer: Matt Caswell <matt@openssl.org> 2015-10-05 19:43:00 +0100
commit: 52a48f9eed73503c691056b5832b3eb04b95ea00 (patch)
tree: 73661de8526b42c2090d9415609c213438d7a2f4 /ssl
parent: 67202973cf55eaac021706c183377b8040cf0c20 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index aeae5b0cba..4975c10853 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1927,6 +1927,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al)
     if (!PACKET_get_net_2(pkt, &len))
         goto err;
 
+    if (PACKET_remaining(pkt) != len)
+        goto err;
+
     while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) {
         PACKET subpkt;
author	Alessandro Ghedini <alessandro@ghedini.me>	2015-10-02 13:43:29 +0200
committer	Matt Caswell <matt@openssl.org>	2015-10-05 19:43:00 +0100
commit	52a48f9eed73503c691056b5832b3eb04b95ea00 (patch)
tree	73661de8526b42c2090d9415609c213438d7a2f4 /ssl
parent	67202973cf55eaac021706c183377b8040cf0c20 (diff)