Skip to content
Permalink
Browse files Browse the repository at this point in the history
Assert that ApplicationData has epoch != 0
Otherwise we may accept unencrypted/unauthenticated ApplicationData
from a remote
  • Loading branch information
Sean-Der committed Oct 11, 2019
1 parent 8294885 commit fd73a5d
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions conn.go
Expand Up @@ -559,6 +559,10 @@ func (c *Conn) handleIncomingPacket(buf []byte) (*alert, error) {
c.log.Trace("<- ChangeCipherSpec")
c.setRemoteEpoch(c.getRemoteEpoch() + 1)
case *applicationData:
if h.epoch == 0 {
return &alert{alertLevelFatal, alertUnexpectedMessage}, fmt.Errorf("ApplicationData with epoch of 0")
}

c.decrypted <- content.data
default:
return &alert{alertLevelFatal, alertUnexpectedMessage}, fmt.Errorf("unhandled contentType %d", content.contentType())
Expand Down

0 comments on commit fd73a5d

Please sign in to comment.