From dc74a450a058ae393496206b36dd1323d803acbe Mon Sep 17 00:00:00 2001 From: Sean DuBois Date: Fri, 11 Oct 2019 02:12:16 -0700 Subject: [PATCH] Assert that ApplicationData has epoch != 0 Otherwise we may accept unencrypted/unauthenticated ApplicationData from a remote --- conn.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conn.go b/conn.go index 441db8644..bf5a88e03 100644 --- a/conn.go +++ b/conn.go @@ -559,6 +559,10 @@ func (c *Conn) handleIncomingPacket(buf []byte) (*alert, error) { c.log.Trace("<- ChangeCipherSpec") c.setRemoteEpoch(c.getRemoteEpoch() + 1) case *applicationData: + if h.epoch == 0 { + return &alert{alertLevelFatal, alertUnexpectedMessage}, fmt.Errorf("ApplicationData with epoch of 0") + } + c.decrypted <- content.data default: return &alert{alertLevelFatal, alertUnexpectedMessage}, fmt.Errorf("unhandled contentType %d", content.contentType())