commit 0bcc4e1df78fff6d15c3ecb521e3bd0bbee86e1c
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Jun 17 10:54:17 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Wed Jun 25 11:26:10 2014 +0200
tree 2ed444601e04fabc767571e63a9d4978384153bf
parent 1c98ff96b526db4224b09db0db4a50a2296fdbd7

Fix length checking for AEAD ciphersuites

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index c1df109..563aa54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,11 @@
 (and various x509 structures got a new member)
 
 = PolarSSL 1.3 branch
+Security
+   * Fix length checking for AEAD ciphersuites (found by Codenomicon).
+     It was possible to crash the server (and client) using crafted messages
+     when a GCM suite was chosen.
+
 Features
    * Add CCM module and cipher mode to Cipher Layer
    * Support for CCM and CCM_8 ciphersuites

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ce6730d..e3b0a17 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1327,10 +1327,18 @@
         unsigned char add_data[13];
         unsigned char taglen = ssl->transform_in->ciphersuite_info->flags &
                                POLARSSL_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        unsigned char explicit_iv_len =  ssl->transform_in->ivlen -
+                                         ssl->transform_in->fixed_ivlen;
 
-        dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
-                                        ssl->transform_in->fixed_ivlen );
-        dec_msglen -= taglen;
+        if( ssl->in_msglen < explicit_iv_len + taglen )
+        {
+            SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
+                                "+ taglen (%d)", ssl->in_msglen,
+                                explicit_iv_len, taglen ) );
+            return( POLARSSL_ERR_SSL_INVALID_MAC );
+        }
+        dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
+
         dec_msg = ssl->in_msg;
         dec_msg_result = ssl->in_msg;
         ssl->in_msglen = dec_msglen;