summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <>2011-02-10 22:40:27 +0000
committerdjm <>2011-02-10 22:40:27 +0000
commitb35fdb6ff39ff4535528cc5246fd9dbe3465eed4 (patch)
treeb42324cd96cf41474a0d240313ec5f28754ddef5
parent3e4e9052238c7842bcccc5bc4e99c4fb560e5fa2 (diff)
downloadopenbsd-b35fdb6ff39ff4535528cc5246fd9dbe3465eed4.tar.gz
openbsd-b35fdb6ff39ff4535528cc5246fd9dbe3465eed4.tar.bz2
openbsd-b35fdb6ff39ff4535528cc5246fd9dbe3465eed4.zip
fix for CVE-2011-0014 "OCSP stapling vulnerability";
ok markus@ jasper@ miod@ AFAIK nothing in base uses this, though apache2 from ports may be affected.
Diffstat
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c8
-rw-r--r--src/lib/libssl/t1_lib.c8
2 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 833fc172de..0baa70663a 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
917 } 917 }
918 n2s(data, idsize); 918 n2s(data, idsize);
919 dsize -= 2 + idsize; 919 dsize -= 2 + idsize;
920 size -= 2 + idsize;
920 if (dsize < 0) 921 if (dsize < 0)
921 { 922 {
922 *al = SSL_AD_DECODE_ERROR; 923 *al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
955 } 956 }
956 957
957 /* Read in request_extensions */ 958 /* Read in request_extensions */
959 if (size < 2)
960 {
961 *al = SSL_AD_DECODE_ERROR;
962 return 0;
963 }
958 n2s(data,dsize); 964 n2s(data,dsize);
959 size -= 2; 965 size -= 2;
960 if (dsize > size) 966 if (dsize != size)
961 { 967 {
962 *al = SSL_AD_DECODE_ERROR; 968 *al = SSL_AD_DECODE_ERROR;
963 return 0; 969 return 0;
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 833fc172de..0baa70663a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
917 } 917 }
918 n2s(data, idsize); 918 n2s(data, idsize);
919 dsize -= 2 + idsize; 919 dsize -= 2 + idsize;
920 size -= 2 + idsize;
920 if (dsize < 0) 921 if (dsize < 0)
921 { 922 {
922 *al = SSL_AD_DECODE_ERROR; 923 *al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
955 } 956 }
956 957
957 /* Read in request_extensions */ 958 /* Read in request_extensions */
959 if (size < 2)
960 {
961 *al = SSL_AD_DECODE_ERROR;
962 return 0;
963 }
958 n2s(data,dsize); 964 n2s(data,dsize);
959 size -= 2; 965 size -= 2;
960 if (dsize > size) 966 if (dsize != size)
961 { 967 {
962 *al = SSL_AD_DECODE_ERROR; 968 *al = SSL_AD_DECODE_ERROR;
963 return 0; 969 return 0;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 22:42:39 +0000