commit 6b4f237f6accd027f854f7efa3bdad6b2ba38361
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jul 17 14:33:38 2013 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Jul 18 11:23:48 2013 +0200
tree ea01d9df002d06982f7865fd7ce86a3110e9fdc0
parent 30dc7ef3adab20f1d23ccc1ba96039a7b84b49c0

Forbid setting max_frag_len > MAX_CONTENT_LEN

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9a1590c..d6be987 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3119,29 +3119,35 @@
 
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
 {
+    uint16_t max_frag_len;
+
     switch( mfl_code )
     {
         case SSL_MAX_FRAG_LEN_512:
-            ssl->max_frag_len = 512;
+            max_frag_len = 512;
             break;
 
         case SSL_MAX_FRAG_LEN_1024:
-            ssl->max_frag_len = 1024;
+            max_frag_len = 1024;
             break;
 
         case SSL_MAX_FRAG_LEN_2048:
-            ssl->max_frag_len = 2048;
+            max_frag_len = 2048;
             break;
 
         case SSL_MAX_FRAG_LEN_4096:
-            ssl->max_frag_len = 4096;
+            max_frag_len = 4096;
             break;
 
         default:
             return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
     }
 
+    if( max_frag_len > SSL_MAX_CONTENT_LEN )
+        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
     ssl->mfl_code = mfl_code;
+    ssl->max_frag_len = max_frag_len;
 
     return( 0 );
 }