Potential buffer-overflow for ssl_read_record()

commit: 8648f04e47986d8bf2679dc24ad144b779e9950d [log] [tgz]
author: Paul Bakker <p.j.bakker@polarssl.org> Wed Sep 11 13:16:28 2013 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Wed Sep 11 13:16:28 2013 +0200
tree: 966dd659be49d9f34014c6152d01b013d43a0e29
parent: 3f5b7536546e99595c05d803b56a64c60ef0f0e4 [diff]
diff --git a/ChangeLog b/ChangeLog
index f8a46d9..88e5341 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,5 +1,10 @@
 PolarSSL ChangeLog
 
+= Branch 1.1
+Security
+   * Potential buffer-overflow for ssl_read_record() (independently found by
+     both TrustInSoft and Paul Brodeur of Leviathan Security Group)
+
 = Version 1.1.7 released on 2013-06-19
 Changes
    * HAVEGE random generator disabled by default

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 27f2172..a5d1cb1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -1159,7 +1159,7 @@
         /*
          * TLS encrypted messages can have up to 256 bytes of padding
          */
-        if( ssl->minor_ver == SSL_MINOR_VERSION_1 &&
+        if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
             ssl->in_msglen > ssl->minlen + SSL_MAX_CONTENT_LEN + 256 )
         {
             SSL_DEBUG_MSG( 1, ( "bad message length" ) );
commit	8648f04e47986d8bf2679dc24ad144b779e9950d	[log] [tgz]
author	Paul Bakker <p.j.bakker@polarssl.org>	Wed Sep 11 13:16:28 2013 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Wed Sep 11 13:16:28 2013 +0200
tree	966dd659be49d9f34014c6152d01b013d43a0e29
parent	3f5b7536546e99595c05d803b56a64c60ef0f0e4 [diff]