diff options
Diffstat (limited to 'crypto/openssl/ssl/s3_srvr.c')
| -rw-r--r-- | crypto/openssl/ssl/s3_srvr.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 0280bb92f76a..2319737fed05 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -167,7 +167,6 @@ int ssl3_accept(SSL *s) long num1; int ret= -1; int new_state,state,skip=0; - int got_new_session=0; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); @@ -280,7 +279,7 @@ int ssl3_accept(SSL *s) s->shutdown=0; ret=ssl3_get_client_hello(s); if (ret <= 0) goto end; - got_new_session=1; + s->new_session = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; break; @@ -513,7 +512,7 @@ int ssl3_accept(SSL *s) s->init_num=0; - if (got_new_session) /* skipped if we just sent a HelloRequest */ + if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ { /* actually not necessarily a 'new' session */ @@ -712,7 +711,7 @@ static int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((i+p) > (d+n)) + if ((p+i) >= (d+n)) { /* not enough data */ al=SSL_AD_DECODE_ERROR; @@ -769,6 +768,13 @@ static int ssl3_get_client_hello(SSL *s) /* compression */ i= *(p++); + if ((p+i) > (d+n)) + { + /* not enough data */ + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_LENGTH_MISMATCH); + goto f_err; + } q=p; for (j=0; j<i; j++) { @@ -816,7 +822,7 @@ static int ssl3_get_client_hello(SSL *s) /* TLS does not mind if there is extra stuff */ if (s->version == SSL3_VERSION) { - if (p > (d+n)) + if (p < (d+n)) { /* wrong number of bytes, * there could be more to follow */ |