Sanity check cookie_len

Add a sanity check that the cookie_len returned by app_gen_cookie_cb is
valid.

Reviewed-by: Andy Polyakov <appro@openssl.org>
This commit is contained in:
Matt Caswell 2015-09-23 12:57:34 +01:00
parent 468f043ece
commit 373dc6e196
2 changed files with 5 additions and 3 deletions

View File

@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client)
/* Generate the cookie */
if (s->ctx->app_gen_cookie_cb == NULL ||
s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) {
s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
cookielen > 255) {
SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
/* This is fatal */
return -1;

View File

@ -888,9 +888,10 @@ int dtls1_send_hello_verify_request(SSL *s)
if (s->ctx->app_gen_cookie_cb == NULL ||
s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
&(s->d1->cookie_len)) == 0) {
&(s->d1->cookie_len)) == 0 ||
s->d1->cookie_len > 255) {
SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
ERR_R_INTERNAL_ERROR);
SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
s->state = SSL_ST_ERR;
return 0;
}