ref: dd00a15705c62bb363d792299e03247924f9a022
parent: e9853213c893b23d880e0a2dfba7c7f7de436889
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Oct 17 19:42:55 EDT 2021
libsec: fix bugs in tls extension handling (thanks kemal)
--- a/libsec/tlshand.c
+++ b/libsec/tlshand.c
@@ -500,9 +500,7 @@
p = b = nil;
// RFC6066 - Server Name Identification
- if(conn->serverName != nil){- n = strlen(conn->serverName);
-
+ if(conn->serverName != nil && (n = strlen(conn->serverName)) > 0){m = p - b;
b = erealloc(b, m + 2+2+2+1+2+n);
p = b + m;
@@ -655,22 +653,20 @@
uchar *p, *e;
int i, j, n;
- p = ext->data;
- e = p+ext->len;
- while(p < e){- if(e-p < 2)
+ if(ext == nil)
+ return 0;
+
+ for(p = ext->data, e = p+ext->len; p < e; p += n){+ if(e-p < 4)
goto Short;
- switch(get16(p)){- case Extec:
- p += 2;
- n = get16(p);
- if(e-p < n || n < 2)
+ p += 4;
+ if(e-p < (n = get16(p-2)))
+ goto Short;
+ switch(get16(p-4)){+ case Extec:
+ if(n < 4 || n % 2 || get16(p) != (n -= 2))
goto Short;
p += 2;
- n = get16(p);
- p += 2;
- if(e-p < n || n & 1 || n == 0)
- goto Short;
for(i = 0; i < nelem(namedcurves) && c->sec->nc == nil; i++)
for(j = 0; j < n; j += 2)
if(namedcurves[i].tlsid == get16(p+j)){@@ -677,16 +673,7 @@
c->sec->nc = &namedcurves[i];
break;
}
- p += n;
break;
- default:
- p += 2;
- n = get16(p);
- p += 2;
- if(e-p < n)
- goto Short;
- p += n;
- break;
}
}
@@ -1591,7 +1578,7 @@
nn = get16(p);
p += 2, n -= 2;
- if((nn & 1) || n < nn || nn < 2)
+ if(nn % 2 || n < nn || nn < 2)
goto Short;
m->u.clientHello.ciphers = newints(nn >> 1);
for(i = 0; i < nn; i += 2)
@@ -1680,7 +1667,7 @@
goto Short;
nn = get16(p);
p += 2, n -= 2;
- if(nn & 1)
+ if(nn % 2)
goto Short;
m->u.certificateRequest.sigalgs = newints(nn>>1);
for(i = 0; i < nn; i += 2)