[tls] Avoid potential out-of-bound reads in length fields
authorMichael Brown <mcb30@ipxe.org>
Fri, 11 Mar 2016 16:09:40 +0000 (16:09 +0000)
committerMichael Brown <mcb30@ipxe.org>
Fri, 11 Mar 2016 16:09:40 +0000 (16:09 +0000)
commit05dcb07cb239d8b7abe33f7701dbb81f370cea4b
treec3f9bbe7dc3d16458aa8c564386e0b6b78c73702
parente303a6b387628d4c65d1085f66a5d97855755ace
[tls] Avoid potential out-of-bound reads in length fields

Many TLS records contain variable-length fields.  We currently
validate the overall record length, but do so only after reading the
length of the variable-length field.  If the record is too short to
even contain the length field, then we may read uninitialised data
from beyond the end of the record.

This is harmless in practice (since the subsequent overall record
length check would fail regardless of the value read from the
uninitialised length field), but causes warnings from some analysis
tools.

Fix by validating that the overall record length is sufficient to
contain the length field before reading from the length field.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
src/net/tls.c