diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 0b5f91225..1cfb606c9 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -784,7 +784,8 @@ struct _ssl_context (equal to in_left if none) */ #endif - size_t in_hslen; /*!< current handshake message length */ + size_t in_hslen; /*!< current handshake message length, + including the handshake header */ int nb_zero; /*!< # of 0-length encrypted messages */ int record_read; /*!< record is already present */ @@ -1948,6 +1949,17 @@ static inline size_t ssl_hdr_len( const ssl_context *ssl ) return( 5 ); } +static inline size_t ssl_hs_hdr_len( const ssl_context *ssl ) +{ +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM ) + return( 12 ); +#else + ((void) ssl); +#endif + return( 4 ); +} + /* constant-time buffer comparison */ static inline int safer_memcmp( const void *a, const void *b, size_t n ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7b4776699..5dd690b3e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2338,10 +2338,16 @@ static int ssl_reassemble_dtls_handshake( ssl_context *ssl ) static int ssl_prepare_handshake_record( ssl_context *ssl ) { - ssl->in_hslen = ssl->transport == SSL_TRANSPORT_DATAGRAM ? 12 : 4; - ssl->in_hslen += ( ssl->in_msg[1] << 16 ) | - ( ssl->in_msg[2] << 8 ) | - ssl->in_msg[3]; + if( ssl->in_msglen < ssl_hs_hdr_len( ssl ) ) + { + SSL_DEBUG_MSG( 1, ( "handshake message too short: %d", + ssl->in_msglen ) ); + } + + ssl->in_hslen = ssl_hs_hdr_len( ssl ) + ( + ( ssl->in_msg[1] << 16 ) | + ( ssl->in_msg[2] << 8 ) | + ssl->in_msg[3] ); SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" " %d, type = %d, hslen = %d",