diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2011-02-13 11:10:57 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2011-02-13 11:10:57 +0000 |
commit | 61f73e3863b3c8f6d3492fb3da8e69a54a56666d (patch) | |
tree | 9d5273122eed3e86847fc52b2a3e205b23c607d8 | |
parent | 578f94cdb935d559d1dad0632ae0dd0fa02a2d14 (diff) | |
download | src-61f73e3863b3c8f6d3492fb3da8e69a54a56666d.tar.gz src-61f73e3863b3c8f6d3492fb3da8e69a54a56666d.zip |
MFS 218634:
Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could
cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
The very quick merge is done to get this fix into 7.4 / 8.2.
Approved by: re (bz)
Obtained from: OpenSSL CVS
Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Notes
Notes:
svn path=/releng/7.4/; revision=218636
-rw-r--r-- | crypto/openssl/ssl/t1_lib.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index 0cc8320e1789..92cac130024a 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; |