diff options
| author | jsing <> | 2016-09-22 12:33:50 +0000 |
|---|---|---|
| committer | jsing <> | 2016-09-22 12:33:50 +0000 |
| commit | 53cf491d8405e23b0f0b5b740684df633ecec3b9 (patch) | |
| tree | e8f3f38583c086faed65cb61c0826348fb1456da | |
| parent | b6f7bfed7cb7f244a19ca2235b58ec8d1ba19b83 (diff) | |
| download | openbsd-53cf491d8405e23b0f0b5b740684df633ecec3b9.tar.gz openbsd-53cf491d8405e23b0f0b5b740684df633ecec3b9.tar.bz2 openbsd-53cf491d8405e23b0f0b5b740684df633ecec3b9.zip | |
Avoid unbounded memory growth, which can be triggered by a client
repeatedly renegotiating and sending OCSP Status Request TLS extensions.
Fix based on OpenSSL.
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 6853bc210e..3f66e2e6d0 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.89 2016/09/22 06:57:40 guenther Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.90 2016/09/22 12:33:50 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1444,10 +1444,28 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1444 | /* Read in responder_id_list */ | 1444 | /* Read in responder_id_list */ |
| 1445 | n2s(data, dsize); | 1445 | n2s(data, dsize); |
| 1446 | size -= 2; | 1446 | size -= 2; |
| 1447 | if (dsize > size ) { | 1447 | if (dsize > size) { |
| 1448 | *al = SSL_AD_DECODE_ERROR; | 1448 | *al = SSL_AD_DECODE_ERROR; |
| 1449 | return 0; | 1449 | return 0; |
| 1450 | } | 1450 | } |
| 1451 | |||
| 1452 | /* | ||
| 1453 | * We remove any OCSP_RESPIDs from a | ||
| 1454 | * previous handshake to prevent | ||
| 1455 | * unbounded memory growth. | ||
| 1456 | */ | ||
| 1457 | sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, | ||
| 1458 | OCSP_RESPID_free); | ||
| 1459 | s->tlsext_ocsp_ids = NULL; | ||
| 1460 | if (dsize > 0) { | ||
| 1461 | s->tlsext_ocsp_ids = | ||
| 1462 | sk_OCSP_RESPID_new_null(); | ||
| 1463 | if (s->tlsext_ocsp_ids == NULL) { | ||
| 1464 | *al = SSL_AD_INTERNAL_ERROR; | ||
| 1465 | return 0; | ||
| 1466 | } | ||
| 1467 | } | ||
| 1468 | |||
| 1451 | while (dsize > 0) { | 1469 | while (dsize > 0) { |
| 1452 | OCSP_RESPID *id; | 1470 | OCSP_RESPID *id; |
| 1453 | int idsize; | 1471 | int idsize; |
| @@ -1475,13 +1493,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1475 | *al = SSL_AD_DECODE_ERROR; | 1493 | *al = SSL_AD_DECODE_ERROR; |
| 1476 | return 0; | 1494 | return 0; |
| 1477 | } | 1495 | } |
| 1478 | if (!s->tlsext_ocsp_ids && | ||
| 1479 | !(s->tlsext_ocsp_ids = | ||
| 1480 | sk_OCSP_RESPID_new_null())) { | ||
| 1481 | OCSP_RESPID_free(id); | ||
| 1482 | *al = SSL_AD_INTERNAL_ERROR; | ||
| 1483 | return 0; | ||
| 1484 | } | ||
| 1485 | if (!sk_OCSP_RESPID_push( | 1496 | if (!sk_OCSP_RESPID_push( |
| 1486 | s->tlsext_ocsp_ids, id)) { | 1497 | s->tlsext_ocsp_ids, id)) { |
| 1487 | OCSP_RESPID_free(id); | 1498 | OCSP_RESPID_free(id); |