RT3301: Discard too-long heartbeat requests

Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit af4c6e348e4bad6303e7d214cdcf2536487aabe4)
author: Erik Auerswald <auerswal@unix-ag.uni-kl.de> 2014-08-26 22:50:34 -0400
committer: Janusz Kozerski <j.kozerski@samsung.com> 2014-10-20 15:26:04 +0200
commit: c1c0f069b58a535080bdca66c351ac638890dc49 (patch)
tree: f7f1cfd8c508e057893a385effd4a6ab1b4721ba
parent: 923968785fdc9a10c9d5982c4410a9ff81955ef4 (diff)
download: openssl-c1c0f069b58a535080bdca66c351ac638890dc49.tar.gz
openssl-c1c0f069b58a535080bdca66c351ac638890dc49.tar.bz2
openssl-c1c0f069b58a535080bdca66c351ac638890dc49.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 89cdca8..2e4250f 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1492,6 +1492,9 @@ dtls1_process_heartbeat(SSL *s)
 	/* Read type and payload length first */
 	if (1 + 2 + 16 > s->s3->rrec.length)
 		return 0; /* silently discard */
+	if (s->s3->rrec.length > SSL3_RT_MAX_PLAIN_LENGTH)
+		return 0; /* silently discard per RFC 6520 sec. 4 */
+
 	hbtype = *p++;
 	n2s(p, payload);
 	if (1 + 2 + payload + 16 > s->s3->rrec.length)
author	Erik Auerswald <auerswal@unix-ag.uni-kl.de>	2014-08-26 22:50:34 -0400
committer	Janusz Kozerski <j.kozerski@samsung.com>	2014-10-20 15:26:04 +0200
commit	c1c0f069b58a535080bdca66c351ac638890dc49 (patch)
tree	f7f1cfd8c508e057893a385effd4a6ab1b4721ba
parent	923968785fdc9a10c9d5982c4410a9ff81955ef4 (diff)
download	openssl-c1c0f069b58a535080bdca66c351ac638890dc49.tar.gz openssl-c1c0f069b58a535080bdca66c351ac638890dc49.tar.bz2 openssl-c1c0f069b58a535080bdca66c351ac638890dc49.zip