reject zero length point format list or supported curves extensions
authorDr. Stephen Henson <steve@openssl.org>
Thu, 22 Nov 2012 14:15:25 +0000 (14:15 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 22 Nov 2012 14:15:25 +0000 (14:15 +0000)
ssl/t1_lib.c

index 28eec44566a50a6e408c7be6a0852bb4c8c88d04..d8df062a803216f2b0489b1eb613d907542aa887 100644 (file)
@@ -1077,7 +1077,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        int ellipticcurvelist_length = (*(sdata++) << 8);
                        ellipticcurvelist_length += (*(sdata++));
 
-                       if (ellipticcurvelist_length != size - 2)
+                       if (ellipticcurvelist_length != size - 2 ||
+                               ellipticcurvelist_length < 1)
                                {
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
@@ -1433,7 +1434,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                        unsigned char *sdata = data;
                        int ecpointformatlist_length = *(sdata++);
 
-                       if (ecpointformatlist_length != size - 1)
+                       if (ecpointformatlist_length != size - 1 || 
+                               ecpointformatlist_length < 1)
                                {
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;