crypto/tls: fix parsing of SNI extension.

The previous code had a brain fart: it took one of the length prefixes as an element count, not a length. This didn't actually affect anything because the loop stops as soon as it finds a hostname element, and the hostname element is always the first and only element. (No other element types have ever been defined.) This change fixes the parsing in case SNI is ever changed in the future. Fixes golang#10793. Change-Id: Iafdf3381942bc22b1f33595315c53dc6cc2e9f0f Reviewed-on: https://go-review.googlesource.com/11059 Reviewed-by: Brad Fitzpatrick <[email protected]>
greyhwndz · Jun 14, 2015 · 6a34206 · 6a34206
1 parent 71e83b8
commit 6a34206
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/src/crypto/tls/handshake_messages.go b/src/crypto/tls/handshake_messages.go
@@ -367,12 +367,16 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 
 		switch extension {
 		case extensionServerName:
-			if length < 2 {
+			d := data[:length]
+			if len(d) < 2 {
 				return false
 			}
-			numNames := int(data[0])<<8 | int(data[1])
-			d := data[2:]
-			for i := 0; i < numNames; i++ {
+			namesLen := int(d[0])<<8 | int(d[1])
+			d = d[2:]
+			if len(d) != namesLen {
+				return false
+			}
+			for len(d) > 0 {
 				if len(d) < 3 {
 					return false
 				}
@@ -383,7 +387,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 					return false
 				}
 				if nameType == 0 {
-					m.serverName = string(d[0:nameLen])
+					m.serverName = string(d[:nameLen])
 					break
 				}
 				d = d[nameLen:]