From ec940f898b42f16bb0727f807b72488fad6d6d12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
Date: Wed, 14 Aug 2019 14:20:03 +0200
Subject: SSL: ALPN: Don't include empty, too long or truncated names

As is said in RFC7301 in section 3.1 [1]:

Protocols are named by IANA-registered, opaque, non-empty byte strings
[...]. Empty strings MUST NOT be included and byte strings MUST NOT be
truncated.

[1]: https://tools.ietf.org/html/rfc7301#section-3.1

Change-Id: I2c41fa99984a53cc58803e5a264d06edac964cc6
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
 src/network/ssl/qsslsocket_mac.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/network/ssl/qsslsocket_mac.cpp')

diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp
index 7c5f4310f8..e6b71b293e 100644
--- a/src/network/ssl/qsslsocket_mac.cpp
+++ b/src/network/ssl/qsslsocket_mac.cpp
@@ -928,6 +928,13 @@ bool QSslSocketBackendPrivate::initSslContext()
         QCFType<CFMutableArrayRef> cfNames(CFArrayCreateMutable(nullptr, 0, &kCFTypeArrayCallBacks));
         if (cfNames) {
             for (const QByteArray &name : protocolNames) {
+                if (name.size() > 255) {
+                    qCWarning(lcSsl) << "TLS ALPN extension" << name
+                                     << "is too long and will be ignored.";
+                    continue;
+                } else if (name.isEmpty()) {
+                    continue;
+                }
                 QCFString cfName(QString::fromLatin1(name).toCFString());
                 CFArrayAppendValue(cfNames, cfName);
             }
-- 
cgit v1.2.3