diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 8a8ced8abb..4bdf90a657 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -754,7 +754,8 @@ int dtls1_listen(SSL *s, struct sockaddr *client) /* Generate the cookie */ if (s->ctx->app_gen_cookie_cb == NULL || - s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0) { + s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 || + cookielen > 255) { SSLerr(SSL_F_DTLS1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); /* This is fatal */ return -1; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 8aa1ebaa4b..e32c4c1013 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -888,9 +888,10 @@ int dtls1_send_hello_verify_request(SSL *s) if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0) { + &(s->d1->cookie_len)) == 0 || + s->d1->cookie_len > 255) { SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, - ERR_R_INTERNAL_ERROR); + SSL_R_COOKIE_GEN_CALLBACK_FAILURE); s->state = SSL_ST_ERR; return 0; }