dtls.c: Fix handling ClientHello if no peer and fragment

If a fragmented ClientHello is received with no peer, do not handle it. Also fixed situation where there was insuffient decrypted data provieded to save away a single fragment. Signed-off-by: Jon Shallow <[email protected]>
eclipse · Mar 25, 2021 · 323fd75 · 323fd75
1 parent 94205ff
commit 323fd75
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/dtls.c b/dtls.c
@@ -3676,6 +3676,11 @@ handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
   size_t fragment_offset = dtls_uint24_to_int(hs_header->fragment_offset);
 
   if (packet_length > fragment_length){
+    if (!peer || !peer->handshake_params) {
+      /* This is the initial ClientHello */
+      dtls_alert("Cannot handle fragmented ClientHello\n");
+      return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE);
+    }
     dtls_debug("received fragmented handshake packet: length %zu, fragment length %zu.\n",
                packet_length, fragment_length);
     /* If (reassembled) packet is larger than our buffer, drop with error */
@@ -3711,8 +3716,15 @@ handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
       return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); // TODO: Is this the correct alert?
     }
     /* Looks good: copy fragment in buffer */
-    dtls_debug("copying fragment to buffer: offset (%zu), length (%zu).\n", fragment_offset,
-               fragment_length);
+    dtls_debug("copying fragment to buffer: offset (%zu), length (%zu),"
+               " data_length (%zu).\n", fragment_offset, fragment_length,
+               data_length - (fragment_offset == 0 ?
+                sizeof(dtls_handshake_header_t) : 0));
+    if ((size_t)fragment_length + (fragment_offset == 0 ?
+               sizeof(dtls_handshake_header_t) : 0) > data_length) {
+      dtls_warn("insufficient data for fragment\n");
+      return dtls_alert_fatal_create(DTLS_ALERT_RECORD_OVERFLOW); // TODO: Is this the correct alert?
+    }
     memcpy(peer->handshake_params->reassemble_buf->data + fragment_offset + (fragment_offset != 0 ? sizeof(dtls_handshake_header_t) : 0),
            data, (size_t)fragment_length + (fragment_offset == 0 ? sizeof(dtls_handshake_header_t) : 0));
     peer->handshake_params->reassemble_buf->last_offset = fragment_offset + fragment_length;