Avoid protocol rollback.

1 files changed, 13 insertions, 8 deletions

diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index a81544a1b6..050618235f 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -348,16 +348,21 @@ int ssl23_get_client_hello(SSL *s)
 			 * SSLv3 or tls1 header
 			 */
 			
-			v[0]=p[1]; /* major version */
+			v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
 			/* We must look at client_version inside the Client Hello message
-			 * to get the correct minor version: */
-			v[1]=p[10];
-			/* However if we have only a pathologically small fragment of the
-			 * Client Hello message, we simply use the version from the
-			 * record header -- this is incorrect but unlikely to fail in
-			 * practice */
+			 * to get the correct minor version.
+			 * However if we have only a pathologically small fragment of the
+			 * Client Hello message, this would be difficult, we'd have
+			 * to read at least one additional record to find out.
+			 * This doesn't usually happen in real life, so we just complain
+			 * for now.
+			 */
 			if (p[3] == 0 && p[4] < 6)
-				v[1]=p[2];
+				{
+				SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
+				goto err;
+				}
+			v[1]=p[10]; /* minor version according to client_version */
 			if (v[1] >= TLS1_VERSION_MINOR)
 				{
 				if (!(s->options & SSL_OP_NO_TLSv1))