diff options
| author | miod <> | 2014-07-17 11:32:21 +0000 |
|---|---|---|
| committer | miod <> | 2014-07-17 11:32:21 +0000 |
| commit | 5c7abf8ff6e24fab2498d8d7f938853552ab0b9c (patch) | |
| tree | 1894af1c30723221b5505065126a3e1721f1f3aa | |
| parent | 997edad64f993d3a9ef21fd90492fd9b2ba1b7ba (diff) | |
| download | openbsd-5c7abf8ff6e24fab2498d8d7f938853552ab0b9c.tar.gz openbsd-5c7abf8ff6e24fab2498d8d7f938853552ab0b9c.tar.bz2 openbsd-5c7abf8ff6e24fab2498d8d7f938853552ab0b9c.zip | |
Missing bounds check in ssl3_get_certificate_request(), was not spotted in
1.78; reported by Ilja Van Sprundel.
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 7 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_clnt.c | 7 |
2 files changed, 12 insertions, 2 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index b55b2e62c6..8dbeb5ce80 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.84 2014/07/17 11:32:21 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1678,6 +1678,11 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1678 | } | 1678 | } |
| 1679 | 1679 | ||
| 1680 | for (nc = 0; nc < llen; ) { | 1680 | for (nc = 0; nc < llen; ) { |
| 1681 | if (p + 2 - d > n) { | ||
| 1682 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | ||
| 1683 | SSL_R_DATA_LENGTH_TOO_LONG); | ||
| 1684 | goto err; | ||
| 1685 | } | ||
| 1681 | n2s(p, l); | 1686 | n2s(p, l); |
| 1682 | if ((l + nc + 2) > llen) { | 1687 | if ((l + nc + 2) > llen) { |
| 1683 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) | 1688 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) |
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index b55b2e62c6..8dbeb5ce80 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.84 2014/07/17 11:32:21 miod Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1678,6 +1678,11 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1678 | } | 1678 | } |
| 1679 | 1679 | ||
| 1680 | for (nc = 0; nc < llen; ) { | 1680 | for (nc = 0; nc < llen; ) { |
| 1681 | if (p + 2 - d > n) { | ||
| 1682 | SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, | ||
| 1683 | SSL_R_DATA_LENGTH_TOO_LONG); | ||
| 1684 | goto err; | ||
| 1685 | } | ||
| 1681 | n2s(p, l); | 1686 | n2s(p, l); |
| 1682 | if ((l + nc + 2) > llen) { | 1687 | if ((l + nc + 2) > llen) { |
| 1683 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) | 1688 | if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) |