Enforce maximum size of early data when rejected

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-07-28 00:21:48 +03:00 · 2024-02-08 15:48:29 +01:00
parent 2160bfe4e2
commit 919e596c05
3 changed files with 56 additions and 4 deletions
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -4005,7 +4005,11 @@ static int ssl_prepare_record_content(mbedtls_ssl_context *ssl,
                 MBEDTLS_SSL_EARLY_DATA_TRY_TO_DEPROTECT_AND_DISCARD)) {
                MBEDTLS_SSL_DEBUG_MSG(
                    3, ("EarlyData: deprotect and discard app data records."));
-                /* TODO: Add max_early_data_size check here, see issue 6347 */
+
+                ret = mbedtls_ssl_tls13_check_early_data_len(ssl, rec->data_len);
+                if (ret != 0) {
+                    return ret;
+                }
                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
            }
 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_SRV_C */