diff options
| author | jasper <> | 2010-11-17 19:14:22 +0000 |
|---|---|---|
| committer | jasper <> | 2010-11-17 19:14:22 +0000 |
| commit | 2edd7b87820e7a5115b1ab9326cdf6d43f42b80c (patch) | |
| tree | da12d151a9c01def9164e40b52ee1f52caead121 | |
| parent | 2131eb9e1b143c48925f2f9609ace2eb75dc9abe (diff) | |
| download | openbsd-2edd7b87820e7a5115b1ab9326cdf6d43f42b80c.tar.gz openbsd-2edd7b87820e7a5115b1ab9326cdf6d43f42b80c.tar.bz2 openbsd-2edd7b87820e7a5115b1ab9326cdf6d43f42b80c.zip | |
- Apply security fix for CVE-2010-3864.
ok djm@ deraadt@
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 9ce726996d..5d401c3572 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -369,14 +369,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 369 | switch (servname_type) | 369 | switch (servname_type) |
| 370 | { | 370 | { |
| 371 | case TLSEXT_NAMETYPE_host_name: | 371 | case TLSEXT_NAMETYPE_host_name: |
| 372 | if (s->session->tlsext_hostname == NULL) | 372 | if (!s->hit) |
| 373 | { | 373 | { |
| 374 | if (len > TLSEXT_MAXLEN_host_name || | 374 | if(s->session->tlsext_hostname) |
| 375 | ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) | 375 | { |
| 376 | *al = SSL_AD_DECODE_ERROR; | ||
| 377 | return 0; | ||
| 378 | } | ||
| 379 | if (len > TLSEXT_MAXLEN_host_name) | ||
| 376 | { | 380 | { |
| 377 | *al = TLS1_AD_UNRECOGNIZED_NAME; | 381 | *al = TLS1_AD_UNRECOGNIZED_NAME; |
| 378 | return 0; | 382 | return 0; |
| 379 | } | 383 | } |
| 384 | if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) | ||
| 385 | { | ||
| 386 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 387 | return 0; | ||
| 388 | } | ||
| 380 | memcpy(s->session->tlsext_hostname, sdata, len); | 389 | memcpy(s->session->tlsext_hostname, sdata, len); |
| 381 | s->session->tlsext_hostname[len]='\0'; | 390 | s->session->tlsext_hostname[len]='\0'; |
| 382 | if (strlen(s->session->tlsext_hostname) != len) { | 391 | if (strlen(s->session->tlsext_hostname) != len) { |
| @@ -389,7 +398,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 389 | 398 | ||
| 390 | } | 399 | } |
| 391 | else | 400 | else |
| 392 | s->servername_done = strlen(s->session->tlsext_hostname) == len | 401 | s->servername_done = s->session->tlsext_hostname |
| 402 | && strlen(s->session->tlsext_hostname) == len | ||
| 393 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; | 403 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; |
| 394 | 404 | ||
| 395 | break; | 405 | break; |