out-of-bounds read in (unused) kerberos ciphersuites (CAN-2004-0112)

author: markus <> 2004-03-17 14:22:02 +0000
committer: markus <> 2004-03-17 14:22:02 +0000
commit: 0514fab896ecd7bd5063c1e0853337a09e156448 (patch)
tree: 883c4d715cd3deb507323296d727220fb60d5cdf
parent: a300d320eeca00daca7747f4e4327416da173e6f (diff)
download: openbsd-0514fab896ecd7bd5063c1e0853337a09e156448.tar.gz
openbsd-0514fab896ecd7bd5063c1e0853337a09e156448.tar.bz2
openbsd-0514fab896ecd7bd5063c1e0853337a09e156448.zip
2 files changed, 32 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 57f1d3f52a..deb3cffabe 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
+                if (n < enc_ticket.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                enc_ticket.data = (char *)p;
                p+=enc_ticket.length;
                n2s(p,i);
                authenticator.length = i;
+                if (n < enc_ticket.length + authenticator.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                authenticator.data = (char *)p;
                p+=authenticator.length;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 57f1d3f52a..deb3cffabe 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
+                if (n < enc_ticket.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                enc_ticket.data = (char *)p;
                p+=enc_ticket.length;
                n2s(p,i);
                authenticator.length = i;
+                if (n < enc_ticket.length + authenticator.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                authenticator.data = (char *)p;
                p+=authenticator.length;
author	markus <>	2004-03-17 14:22:02 +0000
committer	markus <>	2004-03-17 14:22:02 +0000
commit	0514fab896ecd7bd5063c1e0853337a09e156448 (patch)
tree	883c4d715cd3deb507323296d727220fb60d5cdf
parent	a300d320eeca00daca7747f4e4327416da173e6f (diff)
download	openbsd-0514fab896ecd7bd5063c1e0853337a09e156448.tar.gz openbsd-0514fab896ecd7bd5063c1e0853337a09e156448.tar.bz2 openbsd-0514fab896ecd7bd5063c1e0853337a09e156448.zip

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 57f1d3f52a..deb3cffabe 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
1588		1588
1589	n2s(p,i);	1589	n2s(p,i);
1590	enc_ticket.length = i;	1590	enc_ticket.length = i;
		1591
		1592	if (n < enc_ticket.length + 6)
		1593	{
		1594	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1595	SSL_R_DATA_LENGTH_TOO_LONG);
		1596	goto err;
		1597	}
		1598
1591	enc_ticket.data = (char *)p;	1599	enc_ticket.data = (char *)p;
1592	p+=enc_ticket.length;	1600	p+=enc_ticket.length;
1593		1601
1594	n2s(p,i);	1602	n2s(p,i);
1595	authenticator.length = i;	1603	authenticator.length = i;
		1604
		1605	if (n < enc_ticket.length + authenticator.length + 6)
		1606	{
		1607	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1608	SSL_R_DATA_LENGTH_TOO_LONG);
		1609	goto err;
		1610	}
		1611
1596	authenticator.data = (char *)p;	1612	authenticator.data = (char *)p;
1597	p+=authenticator.length;	1613	p+=authenticator.length;
1598		1614


diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 57f1d3f52a..deb3cffabe 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
1588		1588
1589	n2s(p,i);	1589	n2s(p,i);
1590	enc_ticket.length = i;	1590	enc_ticket.length = i;
		1591
		1592	if (n < enc_ticket.length + 6)
		1593	{
		1594	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1595	SSL_R_DATA_LENGTH_TOO_LONG);
		1596	goto err;
		1597	}
		1598
1591	enc_ticket.data = (char *)p;	1599	enc_ticket.data = (char *)p;
1592	p+=enc_ticket.length;	1600	p+=enc_ticket.length;
1593		1601
1594	n2s(p,i);	1602	n2s(p,i);
1595	authenticator.length = i;	1603	authenticator.length = i;
		1604
		1605	if (n < enc_ticket.length + authenticator.length + 6)
		1606	{
		1607	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1608	SSL_R_DATA_LENGTH_TOO_LONG);
		1609	goto err;
		1610	}
		1611
1596	authenticator.data = (char *)p;	1612	authenticator.data = (char *)p;
1597	p+=authenticator.length;	1613	p+=authenticator.length;
1598		1614