diff options
| author | djm <> | 2011-02-10 22:40:27 +0000 |
|---|---|---|
| committer | djm <> | 2011-02-10 22:40:27 +0000 |
| commit | b35fdb6ff39ff4535528cc5246fd9dbe3465eed4 (patch) | |
| tree | b42324cd96cf41474a0d240313ec5f28754ddef5 /src/lib/libssl/t1_lib.c | |
| parent | 3e4e9052238c7842bcccc5bc4e99c4fb560e5fa2 (diff) | |
| download | openbsd-b35fdb6ff39ff4535528cc5246fd9dbe3465eed4.tar.gz openbsd-b35fdb6ff39ff4535528cc5246fd9dbe3465eed4.tar.bz2 openbsd-b35fdb6ff39ff4535528cc5246fd9dbe3465eed4.zip | |
fix for CVE-2011-0014 "OCSP stapling vulnerability";
ok markus@ jasper@ miod@
AFAIK nothing in base uses this, though apache2 from ports may be affected.
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 833fc172de..0baa70663a 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 917 | } | 917 | } |
| 918 | n2s(data, idsize); | 918 | n2s(data, idsize); |
| 919 | dsize -= 2 + idsize; | 919 | dsize -= 2 + idsize; |
| 920 | size -= 2 + idsize; | ||
| 920 | if (dsize < 0) | 921 | if (dsize < 0) |
| 921 | { | 922 | { |
| 922 | *al = SSL_AD_DECODE_ERROR; | 923 | *al = SSL_AD_DECODE_ERROR; |
| @@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 955 | } | 956 | } |
| 956 | 957 | ||
| 957 | /* Read in request_extensions */ | 958 | /* Read in request_extensions */ |
| 959 | if (size < 2) | ||
| 960 | { | ||
| 961 | *al = SSL_AD_DECODE_ERROR; | ||
| 962 | return 0; | ||
| 963 | } | ||
| 958 | n2s(data,dsize); | 964 | n2s(data,dsize); |
| 959 | size -= 2; | 965 | size -= 2; |
| 960 | if (dsize > size) | 966 | if (dsize != size) |
| 961 | { | 967 | { |
| 962 | *al = SSL_AD_DECODE_ERROR; | 968 | *al = SSL_AD_DECODE_ERROR; |
| 963 | return 0; | 969 | return 0; |