merge fix for CVE-2014-3509 -- basically a missing s->hit check; ok guenther

author: deraadt <> 2014-08-06 23:16:16 +0000
committer: deraadt <> 2014-08-06 23:16:16 +0000
commit: a9ff92451b90fe858e2d46c1c53fc7b0c49a346b (patch)
tree: fa3d3dd67221a2e909d9ec171b8ddc29b600ab97 /src/lib
parent: 1209021f0eab25b69c67e06ccd1c6673a9afd996 (diff)
download: openbsd-a9ff92451b90fe858e2d46c1c53fc7b0c49a346b.tar.gz
openbsd-a9ff92451b90fe858e2d46c1c53fc7b0c49a346b.tar.bz2
openbsd-a9ff92451b90fe858e2d46c1c53fc7b0c49a346b.zip
2 files changed, 26 insertions, 18 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 0966e78b4d..eebe6897ef 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.52 2014/07/13 16:33:01 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.53 2014/08/06 23:16:16 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1339,16 +1339,20 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                        }
-                        s->session->tlsext_ecpointformatlist_length = 0;
+                        if (s->hit) {
+                                free(s->session->tlsext_ecpointformatlist);
+                                s->session->tlsext_ecpointformatlist_length = 0;
-                        free(s->session->tlsext_ecpointformatlist);
+                                if ((s->session->tlsext_ecpointformatlist =
-                        if ((s->session->tlsext_ecpointformatlist =
+                                    malloc(ecpointformatlist_length)) == NULL) {
-                            malloc(ecpointformatlist_length)) == NULL) {
+                                        *al = TLS1_AD_INTERNAL_ERROR;
-                                *al = TLS1_AD_INTERNAL_ERROR;
+                                        return 0;
-                                return 0;
+                                }
+                                s->session->tlsext_ecpointformatlist_length =
+                                    ecpointformatlist_length;
+                                memcpy(s->session->tlsext_ecpointformatlist,
+                                    sdata, ecpointformatlist_length);
                        }
-                        s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-                        memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                }
                else if (type == TLSEXT_TYPE_session_ticket) {
                        if (s->tls_session_ticket_ext_cb &&
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 0966e78b4d..eebe6897ef 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.52 2014/07/13 16:33:01 jsing Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.53 2014/08/06 23:16:16 deraadt Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1339,16 +1339,20 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                        }
-                        s->session->tlsext_ecpointformatlist_length = 0;
+                        if (s->hit) {
+                                free(s->session->tlsext_ecpointformatlist);
+                                s->session->tlsext_ecpointformatlist_length = 0;
-                        free(s->session->tlsext_ecpointformatlist);
+                                if ((s->session->tlsext_ecpointformatlist =
-                        if ((s->session->tlsext_ecpointformatlist =
+                                    malloc(ecpointformatlist_length)) == NULL) {
-                            malloc(ecpointformatlist_length)) == NULL) {
+                                        *al = TLS1_AD_INTERNAL_ERROR;
-                                *al = TLS1_AD_INTERNAL_ERROR;
+                                        return 0;
-                                return 0;
+                                }
+                                s->session->tlsext_ecpointformatlist_length =
+                                    ecpointformatlist_length;
+                                memcpy(s->session->tlsext_ecpointformatlist,
+                                    sdata, ecpointformatlist_length);
                        }
-                        s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-                        memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                }
                else if (type == TLSEXT_TYPE_session_ticket) {
                        if (s->tls_session_ticket_ext_cb &&
author	deraadt <>	2014-08-06 23:16:16 +0000
committer	deraadt <>	2014-08-06 23:16:16 +0000
commit	a9ff92451b90fe858e2d46c1c53fc7b0c49a346b (patch)
tree	fa3d3dd67221a2e909d9ec171b8ddc29b600ab97 /src/lib
parent	1209021f0eab25b69c67e06ccd1c6673a9afd996 (diff)
download	openbsd-a9ff92451b90fe858e2d46c1c53fc7b0c49a346b.tar.gz openbsd-a9ff92451b90fe858e2d46c1c53fc7b0c49a346b.tar.bz2 openbsd-a9ff92451b90fe858e2d46c1c53fc7b0c49a346b.zip