svn commit: r218634 - stable/7/crypto/openssl/ssl
Simon L. Nielsen
simon at FreeBSD.org
Sun Feb 13 10:24:36 UTC 2011
Author: simon
Date: Sun Feb 13 10:24:36 2011
New Revision: 218634
URL: http://svn.freebsd.org/changeset/base/218634
Log:
MFC 218625:
Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could
cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
The very quick MFC is done to get this fix into 7.4 / 8.2.
Discussed with: re
Approved by: so (simon, for "instant" MFC)
Obtained from: OpenSSL CVS
Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Modified:
stable/7/crypto/openssl/ssl/t1_lib.c
Directory Properties:
stable/7/crypto/openssl/ (props changed)
Modified: stable/7/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- stable/7/crypto/openssl/ssl/t1_lib.c Sun Feb 13 10:22:43 2011 (r218633)
+++ stable/7/crypto/openssl/ssl/t1_lib.c Sun Feb 13 10:24:36 2011 (r218634)
@@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
n2s(data, idsize);
dsize -= 2 + idsize;
+ size -= 2 + idsize;
if (dsize < 0)
{
*al = SSL_AD_DECODE_ERROR;
@@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
/* Read in request_extensions */
+ if (size < 2)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
n2s(data,dsize);
size -= 2;
- if (dsize > size)
+ if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;
More information about the svn-src-stable-7
mailing list