summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2022-09-11 13:50:42 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2022-09-11 13:50:42 +0000
commit954892c93c68b4f5cc59bff18973dc37c7559608 (patch)
tree7aa36ae2cded38f72da397298eff67948c76fff2
parent1bb7708c20461951d7382a7b42822fbefe2fe56e (diff)
Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.
ok tb@
-rw-r--r--lib/libssl/tls13_record_layer.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c
index ac5b83bd341..423b405cbdd 100644
--- a/lib/libssl/tls13_record_layer.c
+++ b/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.70 2022/07/24 14:28:16 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
*
@@ -850,6 +850,8 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
if (ccs != 1)
return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
+ if (CBS_len(&cbs) != 0)
+ return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
rl->ccs_seen++;
tls13_record_layer_rrec_free(rl);
return TLS13_IO_WANT_RETRY;