diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2022-09-11 13:50:42 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2022-09-11 13:50:42 +0000 |
commit | 954892c93c68b4f5cc59bff18973dc37c7559608 (patch) | |
tree | 7aa36ae2cded38f72da397298eff67948c76fff2 | |
parent | 1bb7708c20461951d7382a7b42822fbefe2fe56e (diff) |
Ensure there is no trailing data for a CCS received by the TLSv1.3 stack.
ok tb@
-rw-r--r-- | lib/libssl/tls13_record_layer.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c index ac5b83bd341..423b405cbdd 100644 --- a/lib/libssl/tls13_record_layer.c +++ b/lib/libssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.70 2022/07/24 14:28:16 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -850,6 +850,8 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); if (ccs != 1) return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); + if (CBS_len(&cbs) != 0) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); rl->ccs_seen++; tls13_record_layer_rrec_free(rl); return TLS13_IO_WANT_RETRY; |