MFC:

cherrypick fix for CVE-2014-0160 "heartbleed" vulnerability from
OpenSSL git; ok sthen@

2 files changed, 27 insertions, 13 deletions

diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index de8bab873f..436ab67b7a 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -1452,26 +1452,36 @@ dtls1_process_heartbeat(SSL *s)
         unsigned int payload;
         unsigned int padding = 16; /* Use minimum padding */
 
-        /* Read type and payload length first */
-        hbtype = *p++;
-        n2s(p, payload);
-        pl = p;
-
         if (s->msg_callback)
                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
                         &s->s3->rrec.data[0], s->s3->rrec.length,
                         s, s->msg_callback_arg);
 
+        /* Read type and payload length first */
+        if (1 + 2 + 16 > s->s3->rrec.length)
+                return 0; /* silently discard */
+        hbtype = *p++;
+        n2s(p, payload);
+        if (1 + 2 + payload + 16 > s->s3->rrec.length)
+                return 0; /* silently discard per RFC 6520 sec. 4 */
+        pl = p;
+
         if (hbtype == TLS1_HB_REQUEST)
                 {
                 unsigned char *buffer, *bp;
+                unsigned int write_length = 1 /* heartbeat type */ +
+                                            2 /* heartbeat length */ +
+                                            payload + padding;
                 int r;
 
+                if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
+                        return 0;
+
                 /* Allocate memory for the response, size is 1 byte
                  * message type, plus 2 bytes payload length, plus
                  * payload, plus padding
                  */
-                buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+                buffer = OPENSSL_malloc(write_length);
                 bp = buffer;
 
                 /* Enter response type, length and copy payload */
@@ -1482,11 +1492,11 @@ dtls1_process_heartbeat(SSL *s)
                 /* Random padding */
                 RAND_pseudo_bytes(bp, padding);
 
-                r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
+                r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
 
                 if (r >= 0 && s->msg_callback)
                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-                                buffer, 3 + payload + padding,
+                                buffer, write_length,
                                 s, s->msg_callback_arg);
 
                 OPENSSL_free(buffer);
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index bfd4731365..a649dafba9 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -2441,16 +2441,20 @@ tls1_process_heartbeat(SSL *s)
         unsigned int payload;
         unsigned int padding = 16; /* Use minimum padding */
 
-        /* Read type and payload length first */
-        hbtype = *p++;
-        n2s(p, payload);
-        pl = p;
-
         if (s->msg_callback)
                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
                         &s->s3->rrec.data[0], s->s3->rrec.length,
                         s, s->msg_callback_arg);
 
+        /* Read type and payload length first */
+        if (1 + 2 + 16 > s->s3->rrec.length)
+                return 0; /* silently discard */
+        hbtype = *p++;
+        n2s(p, payload);
+        if (1 + 2 + payload + 16 > s->s3->rrec.length)
+                return 0; /* silently discard per RFC 6520 sec. 4 */
+        pl = p;
+
         if (hbtype == TLS1_HB_REQUEST)
                 {
                 unsigned char *buffer, *bp;