From 1cde025957a598934b838b1de26ae9090659d17f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 3 Aug 2018 12:02:35 +0100 Subject: [PATCH] Ensure we send an alert on error when processing a ticket In some scenarios the connection could fail without an alert being sent. This causes a later assertion failure. Thanks to Quarkslab for reporting this. Reviewed-by: Andy Polyakov Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/6852) --- ssl/statem/statem_clnt.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index ad79fef83c..e846f772a6 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2647,10 +2647,16 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) PACKET extpkt; if (!PACKET_as_length_prefixed_2(pkt, &extpkt) - || PACKET_remaining(pkt) != 0 - || !tls_collect_extensions(s, &extpkt, - SSL_EXT_TLS1_3_NEW_SESSION_TICKET, - &exts, NULL, 1) + || PACKET_remaining(pkt) != 0) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, + SSL_R_LENGTH_MISMATCH); + goto err; + } + + if (!tls_collect_extensions(s, &extpkt, + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts, + NULL, 1) || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_NEW_SESSION_TICKET, exts, NULL, 0, 1)) { -- 2.25.1