From b04f947941d08b5d077a63b017ecee5e4e2e11cc Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sun, 13 Dec 2015 00:51:06 +0900 Subject: [PATCH] Fix NPN protocol name list validation MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Since 50932c4 "PACKETise ServerHello processing", ssl_next_proto_validate() incorrectly allows empty protocol name. draft-agl-tls-nextprotoneg-04[1] says "Implementations MUST ensure that the empty string is not included and that no byte strings are truncated." This patch restores the old correct behavior. [1] https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 Reviewed-by: Emilia Käsper Reviewed-by: Matt Caswell --- ssl/t1_lib.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 6363348d54..3082a59810 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2339,11 +2339,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt) */ static char ssl_next_proto_validate(PACKET *pkt) { - unsigned int len; + PACKET tmp_protocol; while (PACKET_remaining(pkt)) { - if (!PACKET_get_1(pkt, &len) - || !PACKET_forward(pkt, len)) + if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol) + || PACKET_remaining(&tmp_protocol) == 0) return 0; } -- 2.25.1