Reduced the input / output overhead with 200+ bytes and covered corner
case
The actual input / output buffer overhead is only 301 instead of 512.
This requires a proper check on the padding_idx to prevent out of bounds
reads.
Previously a remote party could potentially trigger an access error and
thus stop the application when sending a malicious packet having
MAX_CONTENT_LEN of data, 32 bytes of MAC and a decrypted padlen of .
This would result in reading from in_ctr + 13 + 32 + MAX_CONTENT_LEN - 1 - 1
for 256 bytes (including fake padding check). Or 13 + 32 bytes over the
buffer length.
We now reset padding_idx to 0, if it's clear that it will never be a
valid padding (padlen > msg_len || msg_len + padlen + 256 > buffer_len)
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 4b0c5f8..7e668f9 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -237,8 +237,8 @@
#endif /* !POLARSSL_CONFIG_OPTIONS */
/*
- * Allow an extra 512 bytes for the record header
- * and encryption overhead (counter + MAC + padding)
+ * Allow an extra 301 bytes for the record header
+ * and encryption overhead: counter (8) + header (5) + MAC (32) + padding (256)
* and allow for a maximum of 1024 of compression expansion if
* enabled.
*/
@@ -248,9 +248,9 @@
#define SSL_COMPRESSION_ADD 0
#endif
-#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512)
+#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 301)
-#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */
+#define SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */
/*
* Supported Signature and Hash algorithms (For TLS 1.2)