Enforce maximum size of early data in case of HRR

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-07-28 00:21:48 +03:00 · 2024-02-09 16:17:10 +01:00
parent 919e596c05
commit 01d273d31f
3 changed files with 33 additions and 2 deletions
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -4135,7 +4135,12 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
        if (rec->type == MBEDTLS_SSL_MSG_APPLICATION_DATA) {
            MBEDTLS_SSL_DEBUG_MSG(
                3, ("EarlyData: Ignore application message before 2nd ClientHello"));
-            /* TODO: Add max_early_data_size check here, see issue 6347 */
+
+            ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+            if (ret != 0) {
+                return ret;
+            }
+
            return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
        } else if (rec->type == MBEDTLS_SSL_MSG_HANDSHAKE) {
            ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;