|
|
@@ -570,15 +570,11 @@ Again: |
|
|
|
return c.in.setErrorLocked(fmt.Errorf("tls: oversized record received with length %d", n)) |
|
|
|
} |
|
|
|
if !c.haveVers { |
|
|
|
// First message, be extra suspicious: |
|
|
|
// this might not be a TLS client. |
|
|
|
// Bail out before reading a full 'body', if possible. |
|
|
|
// The current max version is 3.1. |
|
|
|
// If the version is >= 16.0, it's probably not real. |
|
|
|
// Similarly, a clientHello message encodes in |
|
|
|
// well under a kilobyte. If the length is >= 12 kB, |
|
|
|
// First message, be extra suspicious: this might not be a TLS |
|
|
|
// client. Bail out before reading a full 'body', if possible. |
|
|
|
// The current max version is 3.3 so if the version is >= 16.0, |
|
|
|
// it's probably not real. |
|
|
|
if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 || n >= 0x3000 { |
|
|
|
if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 { |
|
|
|
c.sendAlert(alertUnexpectedMessage) |
|
|
|
return c.in.setErrorLocked(fmt.Errorf("tls: first record does not look like a TLS handshake")) |
|
|
|
} |
|
|
|