Merge of multiple security fixes
diff --git a/ChangeLog b/ChangeLog
index 6c735e7..0d9c93f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,8 +1,11 @@
PolarSSL ChangeLog
-= Version 1.2.16 released 2015-10-??
+= Version 1.2.17 released 2015-10-xx
Security
+ * Fix possible heap buffer overflow in SSL if a very long hostname is used.
+ Can be trigerred remotely if you accept hostnames from untrusted parties.
+ Found by Guido Vranken.
* Fix stack buffer overflow in pkcs12 decryption (used by
mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
Found by Guido Vranken. Not triggerable remotely.
@@ -23,6 +26,10 @@
unless you allow third parties to pick trust CAs for client auth.
Found by Guido Vranken.
+Changes
+ * ssl_set_hostname() now rejects host names longer that 255 bytes (maximum
+ defined by RFC 1035)
+
= Version 1.2.16 released 2015-09-17
Security
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index e31b776..7aad9f9 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -121,6 +121,8 @@
#define SSL_LEGACY_ALLOW_RENEGOTIATION 1
#define SSL_LEGACY_BREAK_HANDSHAKE 2
+#define SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
+
/*
* Size of the input / output buffer.
* Note: the RFC defines the default size of SSL / TLS messages. If you
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 734bc8f..bed4286 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3350,6 +3350,9 @@
if( ssl->hostname_len + 1 == 0 )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+ if( ssl->hostname_len > SSL_MAX_HOST_NAME_LEN )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
if( ssl->hostname == NULL )