Ensure that a client hello does not have trailing data.

Found by tlsfuzzer.

ok beck@

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index a473d5a..3a37fc7 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.118 2021/08/30 19:25:43 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.119 2021/09/03 13:18:01 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1017,6 +1017,9 @@ ssl3_get_client_hello(SSL *s)
                goto fatal_err;
        }
 
+       if (CBS_len(&cbs) != 0)
+               goto decode_err;
+
        if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);