ref: 82e56fa4847d1520927c1bbc2331391d15f8f5c2
parent: bd59926cbfd2962ce3931de28a7f4e7d93732e79
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Nov 8 19:33:16 EST 2021
devtls: reject zero length records (thanks sigrid) zero length record causes ensure() todo nothing, while qgrab() assumes there is at least one buffer in the queue and would dereference the nil buffer.
--- a/sys/src/9/port/devtls.c
+++ b/sys/src/9/port/devtls.c
@@ -766,8 +766,8 @@
if(ver != tr->version && (tr->verset || ver < MinProtoVersion || ver > MaxProtoVersion))
rcvError(tr, EProtocolVersion, "devtls expected ver=%x%s, saw (len=%d) type=%x ver=%x '%.12s'",
tr->version, tr->verset?"/set":"", len, type, ver, (char*)header);
- if(len > MaxCipherRecLen || len < 0)
- rcvError(tr, ERecordOverflow, "record message too long %d", len);
+ if(len > MaxCipherRecLen || len <= 0)
+ rcvError(tr, ERecordOverflow, "bad record message length %d", len);
ensure(tr, &tr->unprocessed, len);
nconsumed = 0;
poperror();
--
⑨