1 files changed, 65 insertions, 52 deletions
diff --git a/src/daemon/https/tls/ext_server_name.c b/src/daemon/https/tls/ext_server_name.c
index 45afc31b..1441f692 100644
--- a/src/daemon/https/tls/ext_server_name.c
+++ b/src/daemon/https/tls/ext_server_name.c
@@ -48,75 +48,88 @@ MHD_gtls_server_name_recv_params (MHD_gtls_session_t session,
  ssize_t data_size = _data_size;
  int server_names = 0;
-  if (session->security_parameters.entity == GNUTLS_SERVER)
+  DECR_LENGTH_RET (data_size, 2, 0);
-    {
+  len = MHD_gtls_read_uint16 (data);
-      DECR_LENGTH_RET (data_size, 2, 0);
-      len = MHD_gtls_read_uint16 (data);
-      if (len != data_size)
+  if (len != data_size)
-        {
+    {
-          /* This is unexpected packet length, but
+      /* This is unexpected packet length, but
-           * just ignore it, for now.
+       * just ignore it, for now.
-           */
+       */
-          MHD_gnutls_assert ();
+      MHD_gnutls_assert ();
-          return 0;
+      return 0;
-        }
+    }
-      p = data + 2;
+  p = data + 2;
-      /* Count all server_names in the packet. */
+  /* Count all server_names in the packet. */
-      while (data_size > 0)
+  while (data_size > 0)
-        {
+    {
-          DECR_LENGTH_RET (data_size, 1, 0);
+      DECR_LENGTH_RET (data_size, 1, 0);
-          p++;
+      p++;
-          DECR_LEN (data_size, 2);
+      DECR_LEN (data_size, 2);
-          len = MHD_gtls_read_uint16 (p);
+      len = MHD_gtls_read_uint16 (p);
-          p += 2;
+      p += 2;
+      /* make sure supplied server name is not empty */
+      if (len > 0)
+        {
          DECR_LENGTH_RET (data_size, len, 0);
          server_names++;
          p += len;
        }
+      else
+        {
+#if HAVE_MESSAGES
+          MHD__gnutls_handshake_log
+            ("HSK[%x]: Received zero size server name (under attack?)\n",
+             session);
+#endif
+        }
+    }
-      session->security_parameters.extensions.server_names_size =
+  /* we cannot accept more server names. */
-        server_names;
+  if (server_names > MAX_SERVER_NAME_EXTENSIONS)
-      if (server_names == 0)
+    {
-        return 0;               /* no names found */
+#if HAVE_MESSAGES
+      MHD__gnutls_handshake_log
+        ("HSK[%x]: Too many server names received (under attack?)\n",
+         session);
+#endif
+      server_names = MAX_SERVER_NAME_EXTENSIONS;
+    }
-      /* we cannot accept more server names.
+  session->security_parameters.extensions.server_names_size = server_names;
-       */
+  if (server_names == 0)
-      if (server_names > MAX_SERVER_NAME_EXTENSIONS)
+    return 0;                   /* no names found */
-        server_names = MAX_SERVER_NAME_EXTENSIONS;
-      p = data + 2;
+  p = data + 2;
-      for (i = 0; i < server_names; i++)
+  for (i = 0; i < server_names; i++)
-        {
+    {
-          type = *p;
+      type = *p;
-          p++;
+      p++;
-          len = MHD_gtls_read_uint16 (p);
+      len = MHD_gtls_read_uint16 (p);
-          p += 2;
+      p += 2;
-          switch (type)
+      switch (type)
+        {
+        case 0:                /* NAME_DNS */
+          if (len <= MAX_SERVER_NAME_SIZE)
            {
-            case 0:            /* NAME_DNS */
+              memcpy (session->security_parameters.extensions.server_names[i].
-              if (len <= MAX_SERVER_NAME_SIZE)
+                      name, p, len);
-                {
+              session->security_parameters.extensions.
-                  memcpy (session->security_parameters.
+                server_names[i].name_length = len;
-                          extensions.server_names[i].name, p, len);
+              session->security_parameters.extensions.server_names[i].type =
-                  session->security_parameters.extensions.server_names[i].
+                GNUTLS_NAME_DNS;
-                    name_length = len;
+              break;
-                  session->security_parameters.extensions.server_names[i].
-                    type = GNUTLS_NAME_DNS;
-                  break;
-                }
            }
-          /* move to next record */
-          p += len;
        }
+      /* move to next record */
+      p += len;
    }
  return 0;
 }

diff --git a/src/daemon/https/tls/ext_server_name.c b/src/daemon/https/tls/ext_server_name.c index 45afc31b..1441f692 100644 --- a/src/daemon/https/tls/ext_server_name.c +++ b/src/daemon/https/tls/ext_server_name.c
@@ -48,75 +48,88 @@ MHD_gtls_server_name_recv_params (MHD_gtls_session_t session,
48	ssize_t data_size = _data_size;	48	ssize_t data_size = _data_size;
49	int server_names = 0;	49	int server_names = 0;
50		50
51	if (session->security_parameters.entity == GNUTLS_SERVER)	51	DECR_LENGTH_RET (data_size, 2, 0);
52	{	52	len = MHD_gtls_read_uint16 (data);
53	DECR_LENGTH_RET (data_size, 2, 0);
54	len = MHD_gtls_read_uint16 (data);
55		53
56	if (len != data_size)	54	if (len != data_size)
57	{	55	{
58	/* This is unexpected packet length, but	56	/* This is unexpected packet length, but
59	* just ignore it, for now.	57	* just ignore it, for now.
60	*/	58	*/
61	MHD_gnutls_assert ();	59	MHD_gnutls_assert ();
62	return 0;	60	return 0;
63	}	61	}
64		62
65	p = data + 2;	63	p = data + 2;
66		64
67	/* Count all server_names in the packet. */	65	/* Count all server_names in the packet. */
68	while (data_size > 0)	66	while (data_size > 0)
69	{	67	{
70	DECR_LENGTH_RET (data_size, 1, 0);	68	DECR_LENGTH_RET (data_size, 1, 0);
71	p++;	69	p++;
72		70
73	DECR_LEN (data_size, 2);	71	DECR_LEN (data_size, 2);
74	len = MHD_gtls_read_uint16 (p);	72	len = MHD_gtls_read_uint16 (p);
75	p += 2;	73	p += 2;
76		74
		75	/* make sure supplied server name is not empty */
		76	if (len > 0)
		77	{
77	DECR_LENGTH_RET (data_size, len, 0);	78	DECR_LENGTH_RET (data_size, len, 0);
78	server_names++;	79	server_names++;
79
80	p += len;	80	p += len;
81	}	81	}
		82	else
		83	{
		84	#if HAVE_MESSAGES
		85	MHD__gnutls_handshake_log
		86	("HSK[%x]: Received zero size server name (under attack?)\n",
		87	session);
		88	#endif
		89	}
		90	}
82		91
83	session->security_parameters.extensions.server_names_size =	92	/* we cannot accept more server names. */
84	server_names;	93	if (server_names > MAX_SERVER_NAME_EXTENSIONS)
85	if (server_names == 0)	94	{
86	return 0; /* no names found */	95	#if HAVE_MESSAGES
		96	MHD__gnutls_handshake_log
		97	("HSK[%x]: Too many server names received (under attack?)\n",
		98	session);
		99	#endif
		100	server_names = MAX_SERVER_NAME_EXTENSIONS;
		101	}
87		102
88	/* we cannot accept more server names.	103	session->security_parameters.extensions.server_names_size = server_names;
89	*/	104	if (server_names == 0)
90	if (server_names > MAX_SERVER_NAME_EXTENSIONS)	105	return 0; /* no names found */
91	server_names = MAX_SERVER_NAME_EXTENSIONS;
92		106
93	p = data + 2;	107	p = data + 2;
94	for (i = 0; i < server_names; i++)	108	for (i = 0; i < server_names; i++)
95	{	109	{
96	type = *p;	110	type = *p;
97	p++;	111	p++;
98		112
99	len = MHD_gtls_read_uint16 (p);	113	len = MHD_gtls_read_uint16 (p);
100	p += 2;	114	p += 2;
101		115
102	switch (type)	116	switch (type)
		117	{
		118	case 0: /* NAME_DNS */
		119	if (len <= MAX_SERVER_NAME_SIZE)
103	{	120	{
104	case 0: /* NAME_DNS */	121	memcpy (session->security_parameters.extensions.server_names[i].
105	if (len <= MAX_SERVER_NAME_SIZE)	122	name, p, len);
106	{	123	session->security_parameters.extensions.
107	memcpy (session->security_parameters.	124	server_names[i].name_length = len;
108	extensions.server_names[i].name, p, len);	125	session->security_parameters.extensions.server_names[i].type =
109	session->security_parameters.extensions.server_names[i].	126	GNUTLS_NAME_DNS;
110	name_length = len;	127	break;
111	session->security_parameters.extensions.server_names[i].
112	type = GNUTLS_NAME_DNS;
113	break;
114	}
115	}	128	}
116
117	/* move to next record */
118	p += len;
119	}	129	}
		130
		131	/* move to next record */
		132	p += len;
120	}	133	}
121	return 0;	134	return 0;
122	}	135	}