From 2e809c0449d0ed2ef65ef4b2ae2c84596d259f90 Mon Sep 17 00:00:00 2001
From: Jon Shallow <supjps-libcoap@jpshallow.com>
Date: Thu, 25 Mar 2021 13:21:18 +0000
Subject: [PATCH] dtls.c: Reject oversized fragment length

Signed-off-by: Jon Shallow <supjps-libcoap@jpshallow.com>
---
 dtls.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/dtls.c b/dtls.c
index 7791bb41..843e5e62 100644
--- a/dtls.c
+++ b/dtls.c
@@ -3675,7 +3675,11 @@ handle_handshake(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
   size_t fragment_length = dtls_uint24_to_int(hs_header->fragment_length);
   size_t fragment_offset = dtls_uint24_to_int(hs_header->fragment_offset);
 
-  if (packet_length > fragment_length){
+  if (fragment_length > packet_length) {
+    dtls_warn("fragment length > header length\n");
+    return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+  }
+  else if (packet_length > fragment_length){
     dtls_debug("received fragmented handshake packet: length %zu, fragment length %zu.\n",
                packet_length, fragment_length);
     /* If (reassembled) packet is larger than our buffer, drop with error */