diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2021-09-03 13:18:18 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2021-09-03 13:18:18 +0000 |
| commit | 5986a58fb2a789dcf23f33a463c5bf6e22792f18 (patch) | |
| tree | 9306b158d66a4863d0fa5451c953db8c788edba8 | |
| parent | e22401d3de4b8df58094e6ca03064f640f56c063 (diff) | |
Ensure that a server hello does not have trailing data.
Found by tlsfuzzer.
ok beck@
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index e27a0735b6e..ddab394db94 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.110 2021/09/02 14:41:03 beck Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.111 2021/09/03 13:18:17 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1065,6 +1065,9 @@ ssl3_get_server_hello(SSL *s) goto fatal_err; } + if (CBS_len(&cbs) != 0) + goto decode_err; + /* * Determine if we need to see RI. Strictly speaking if we want to * avoid an attack we should *always* see RI even on initial server |