From 373dc6e196835c06f31ff34cd188471f296126c1 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 23 Sep 2015 12:57:34 +0100
Subject: [PATCH] Sanity check cookie_len

Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: Andy Polyakov <appro@openssl.org>
---
 ssl/d1_lib.c  | 3 ++-
 ssl/d1_srvr.c | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 8a8ced8abb..4bdf90a657 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client)
 
             /* Generate the cookie */
             if (s->ctx->app_gen_cookie_cb == NULL ||
-                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) {
+                s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
+                cookielen > 255) {
                 SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
                 /* This is fatal */
                 return -1;
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 8aa1ebaa4b..e32c4c1013 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -888,9 +888,10 @@ int dtls1_send_hello_verify_request(SSL *s)
 
         if (s->ctx->app_gen_cookie_cb == NULL ||
             s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
-                                      &(s->d1->cookie_len)) == 0) {
+                                      &(s->d1->cookie_len)) == 0 ||
+            s->d1->cookie_len > 255) {
             SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
-                   ERR_R_INTERNAL_ERROR);
+                   SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
             s->state = SSL_ST_ERR;
             return 0;
         }
-- 
2.25.1