diff options
| author | jsing <> | 2016-09-22 18:32:58 +0000 |
|---|---|---|
| committer | jsing <> | 2016-09-22 18:32:58 +0000 |
| commit | 651c6f6d69c217d7077f4d9258ec212a3e66bc7a (patch) | |
| tree | ca996997ea65129563c5bd18cb272f566fb05cdc | |
| parent | 6a61db0eddf0f0575c7ea4cf7d7b5c92bc4b0b10 (diff) | |
| download | openbsd-651c6f6d69c217d7077f4d9258ec212a3e66bc7a.tar.gz openbsd-651c6f6d69c217d7077f4d9258ec212a3e66bc7a.tar.bz2 openbsd-651c6f6d69c217d7077f4d9258ec212a3e66bc7a.zip | |
MFC: Avoid unbounded memory growth in libssl, which can be triggered by a
TLS client repeatedly renegotiating and sending OCSP Status Request TLS
extensions.
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index f3522a02be..48a3c67503 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.85 2015/09/12 16:10:08 doug Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.85.2.1 2016/09/22 18:32:58 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1438,10 +1438,28 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1438 | /* Read in responder_id_list */ | 1438 | /* Read in responder_id_list */ |
| 1439 | n2s(data, dsize); | 1439 | n2s(data, dsize); |
| 1440 | size -= 2; | 1440 | size -= 2; |
| 1441 | if (dsize > size ) { | 1441 | if (dsize > size) { |
| 1442 | *al = SSL_AD_DECODE_ERROR; | 1442 | *al = SSL_AD_DECODE_ERROR; |
| 1443 | return 0; | 1443 | return 0; |
| 1444 | } | 1444 | } |
| 1445 | |||
| 1446 | /* | ||
| 1447 | * We remove any OCSP_RESPIDs from a | ||
| 1448 | * previous handshake to prevent | ||
| 1449 | * unbounded memory growth. | ||
| 1450 | */ | ||
| 1451 | sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, | ||
| 1452 | OCSP_RESPID_free); | ||
| 1453 | s->tlsext_ocsp_ids = NULL; | ||
| 1454 | if (dsize > 0) { | ||
| 1455 | s->tlsext_ocsp_ids = | ||
| 1456 | sk_OCSP_RESPID_new_null(); | ||
| 1457 | if (s->tlsext_ocsp_ids == NULL) { | ||
| 1458 | *al = SSL_AD_INTERNAL_ERROR; | ||
| 1459 | return 0; | ||
| 1460 | } | ||
| 1461 | } | ||
| 1462 | |||
| 1445 | while (dsize > 0) { | 1463 | while (dsize > 0) { |
| 1446 | OCSP_RESPID *id; | 1464 | OCSP_RESPID *id; |
| 1447 | int idsize; | 1465 | int idsize; |
| @@ -1469,13 +1487,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1469 | *al = SSL_AD_DECODE_ERROR; | 1487 | *al = SSL_AD_DECODE_ERROR; |
| 1470 | return 0; | 1488 | return 0; |
| 1471 | } | 1489 | } |
| 1472 | if (!s->tlsext_ocsp_ids && | ||
| 1473 | !(s->tlsext_ocsp_ids = | ||
| 1474 | sk_OCSP_RESPID_new_null())) { | ||
| 1475 | OCSP_RESPID_free(id); | ||
| 1476 | *al = SSL_AD_INTERNAL_ERROR; | ||
| 1477 | return 0; | ||
| 1478 | } | ||
| 1479 | if (!sk_OCSP_RESPID_push( | 1490 | if (!sk_OCSP_RESPID_push( |
| 1480 | s->tlsext_ocsp_ids, id)) { | 1491 | s->tlsext_ocsp_ids, id)) { |
| 1481 | OCSP_RESPID_free(id); | 1492 | OCSP_RESPID_free(id); |