Merge pull request #936 from paul-elliott-arm/fix_tls_record_size_check
Fix the wrong variable being used for TLS record size checks
diff --git a/ChangeLog.d/fix_tls_record_size_check.txt b/ChangeLog.d/fix_tls_record_size_check.txt
new file mode 100644
index 0000000..13d452d
--- /dev/null
+++ b/ChangeLog.d/fix_tls_record_size_check.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix record sizes larger than 16384 being sometimes accepted despite being
+ non-compliant. This could not lead to a buffer overflow. In particular,
+ application data size was already checked correctly.
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 580a1fb..56c1f33 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -3809,7 +3809,7 @@
/* Check actual (decrypted) record content length against
* configured maximum. */
- if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+ if( rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );