b53f4976fb
At the time padding_length() is called the record header
is still part of the message. If malicious TLS 1.3 peer
sends an all-zero record padding_length() will stop at
the record header, and return full length of the data
including the tail_size.
Subsequent subtraction of prot->overhead_size from rxm->full_len
will cause rxm->full_len to turn negative. skb accessors,
however, will always catch resulting out-of-bounds operation,
so in practice this fix comes down to returning the correct
error code. It also fixes a set but not used warning.
This code was added by commit
|
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
tls_device.c | ||
tls_device_fallback.c | ||
tls_main.c | ||
tls_sw.c |