svn commit: r218625 - head/crypto/openssl/ssl
Simon L. Nielsen
simon at FreeBSD.org
Sat Feb 12 21:30:47 UTC 2011
Author: simon
Date: Sat Feb 12 21:30:46 2011
New Revision: 218625
URL: http://svn.freebsd.org/changeset/base/218625
Log:
Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could
cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Obtained from: OpenSSL CVS
Modified:
head/crypto/openssl/ssl/t1_lib.c
Modified: head/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- head/crypto/openssl/ssl/t1_lib.c Sat Feb 12 21:30:08 2011 (r218624)
+++ head/crypto/openssl/ssl/t1_lib.c Sat Feb 12 21:30:46 2011 (r218625)
@@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
n2s(data, idsize);
dsize -= 2 + idsize;
+ size -= 2 + idsize;
if (dsize < 0)
{
*al = SSL_AD_DECODE_ERROR;
@@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
/* Read in request_extensions */
+ if (size < 2)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
n2s(data,dsize);
size -= 2;
- if (dsize > size)
+ if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;
More information about the svn-src-all
mailing list