diff options
| author | jasper <> | 2010-11-17 19:12:57 +0000 |
|---|---|---|
| committer | jasper <> | 2010-11-17 19:12:57 +0000 |
| commit | d8a8950f9e001a1a06c203d83d1e67614ccde7a4 (patch) | |
| tree | c4ce8e1c7fdf1cfc26e1cd0b0dfdaf76aeac38af /src | |
| parent | e66c7843d893ab79e9921f71c66fc647fdfc5b5d (diff) | |
| download | openbsd-d8a8950f9e001a1a06c203d83d1e67614ccde7a4.tar.gz openbsd-d8a8950f9e001a1a06c203d83d1e67614ccde7a4.tar.bz2 openbsd-d8a8950f9e001a1a06c203d83d1e67614ccde7a4.zip | |
- Apply security fix for CVE-2010-3864.
ok djm@ deraadt@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 9ce726996d..5d401c3572 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -369,14 +369,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 369 | switch (servname_type) | 369 | switch (servname_type) |
| 370 | { | 370 | { |
| 371 | case TLSEXT_NAMETYPE_host_name: | 371 | case TLSEXT_NAMETYPE_host_name: |
| 372 | if (s->session->tlsext_hostname == NULL) | 372 | if (!s->hit) |
| 373 | { | 373 | { |
| 374 | if (len > TLSEXT_MAXLEN_host_name || | 374 | if(s->session->tlsext_hostname) |
| 375 | ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) | 375 | { |
| 376 | *al = SSL_AD_DECODE_ERROR; | ||
| 377 | return 0; | ||
| 378 | } | ||
| 379 | if (len > TLSEXT_MAXLEN_host_name) | ||
| 376 | { | 380 | { |
| 377 | *al = TLS1_AD_UNRECOGNIZED_NAME; | 381 | *al = TLS1_AD_UNRECOGNIZED_NAME; |
| 378 | return 0; | 382 | return 0; |
| 379 | } | 383 | } |
| 384 | if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) | ||
| 385 | { | ||
| 386 | *al = TLS1_AD_INTERNAL_ERROR; | ||
| 387 | return 0; | ||
| 388 | } | ||
| 380 | memcpy(s->session->tlsext_hostname, sdata, len); | 389 | memcpy(s->session->tlsext_hostname, sdata, len); |
| 381 | s->session->tlsext_hostname[len]='\0'; | 390 | s->session->tlsext_hostname[len]='\0'; |
| 382 | if (strlen(s->session->tlsext_hostname) != len) { | 391 | if (strlen(s->session->tlsext_hostname) != len) { |
| @@ -389,7 +398,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
| 389 | 398 | ||
| 390 | } | 399 | } |
| 391 | else | 400 | else |
| 392 | s->servername_done = strlen(s->session->tlsext_hostname) == len | 401 | s->servername_done = s->session->tlsext_hostname |
| 402 | && strlen(s->session->tlsext_hostname) == len | ||
| 393 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; | 403 | && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; |
| 394 | 404 | ||
| 395 | break; | 405 | break; |