8264948: Check for TLS extensions total length

Reviewed-by: jnimeh
2021-04-10 03:48:45 +00:00 · 2021-04-10 03:48:45 +00:00 · 5784f6b7f7
commit 5784f6b7f7
parent 42f4d70627
1 changed files with 13 additions and 1 deletions
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
@ -54,14 +54,26 @@ final class SSLExtensions {
            ByteBuffer m, SSLExtension[] extensions) throws IOException {
        this.handshakeMessage = hm;

+        if (m.remaining() < 2) {
+            throw hm.handshakeContext.conContext.fatal(
+                    Alert.DECODE_ERROR,
+                    "Incorrect extensions: no length field");
+        }
+
        int len = Record.getInt16(m);
+        if (len > m.remaining()) {
+            throw hm.handshakeContext.conContext.fatal(
+                    Alert.DECODE_ERROR,
+                    "Insufficient extensions data");
+        }
+
        encodedLength = len + 2;        // 2: the length of the extensions.
        while (len > 0) {
            int extId = Record.getInt16(m);
            int extLen = Record.getInt16(m);
            if (extLen > m.remaining()) {
                throw hm.handshakeContext.conContext.fatal(
-                        Alert.ILLEGAL_PARAMETER,
+                        Alert.DECODE_ERROR,
                        "Error parsing extension (" + extId +
                        "): no sufficient data");
            }