diff options
| author | tb <> | 2020-08-10 18:54:45 +0000 |
|---|---|---|
| committer | tb <> | 2020-08-10 18:54:45 +0000 |
| commit | 0b0cb6f2e4ee8f57394fb83f25dc8aec57a8337c (patch) | |
| tree | 310cdbfa4c00941624f3ec1875bdf9feb5a3352e /src | |
| parent | 83a0e43c1e4ba1d01aa994ce2a56e13e01d4822e (diff) | |
| download | openbsd-0b0cb6f2e4ee8f57394fb83f25dc8aec57a8337c.tar.gz openbsd-0b0cb6f2e4ee8f57394fb83f25dc8aec57a8337c.tar.bz2 openbsd-0b0cb6f2e4ee8f57394fb83f25dc8aec57a8337c.zip | |
Avoid passing -1 to freezero.
If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.
ok inoguchi jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_record_layer.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index 105a741228..af4e7f2454 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_record_layer.c,v 1.50 2020/08/04 14:34:54 inoguchi Exp $ */ | 1 | /* $OpenBSD: tls13_record_layer.c,v 1.51 2020/08/10 18:54:45 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -530,8 +530,9 @@ static int | |||
| 530 | tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) | 530 | tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) |
| 531 | { | 531 | { |
| 532 | CBS header, enc_record; | 532 | CBS header, enc_record; |
| 533 | ssize_t inner_len; | ||
| 533 | uint8_t *content = NULL; | 534 | uint8_t *content = NULL; |
| 534 | ssize_t content_len = 0; | 535 | size_t content_len = 0; |
| 535 | uint8_t content_type; | 536 | uint8_t content_type; |
| 536 | size_t out_len; | 537 | size_t out_len; |
| 537 | 538 | ||
| @@ -572,22 +573,22 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) | |||
| 572 | * Time to hunt for that elusive content type! | 573 | * Time to hunt for that elusive content type! |
| 573 | */ | 574 | */ |
| 574 | /* XXX - CBS from end? CBS_get_end_u8()? */ | 575 | /* XXX - CBS from end? CBS_get_end_u8()? */ |
| 575 | content_len = out_len - 1; | 576 | inner_len = out_len - 1; |
| 576 | while (content_len >= 0 && content[content_len] == 0) | 577 | while (inner_len >= 0 && content[inner_len] == 0) |
| 577 | content_len--; | 578 | inner_len--; |
| 578 | if (content_len < 0) | 579 | if (inner_len < 0) |
| 579 | goto err; | 580 | goto err; |
| 580 | if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { | 581 | if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { |
| 581 | rl->alert = SSL_AD_RECORD_OVERFLOW; | 582 | rl->alert = SSL_AD_RECORD_OVERFLOW; |
| 582 | goto err; | 583 | goto err; |
| 583 | } | 584 | } |
| 584 | content_type = content[content_len]; | 585 | content_type = content[inner_len]; |
| 585 | 586 | ||
| 586 | tls13_record_layer_rbuf_free(rl); | 587 | tls13_record_layer_rbuf_free(rl); |
| 587 | 588 | ||
| 588 | rl->rbuf_content_type = content_type; | 589 | rl->rbuf_content_type = content_type; |
| 589 | rl->rbuf = content; | 590 | rl->rbuf = content; |
| 590 | rl->rbuf_len = content_len; | 591 | rl->rbuf_len = inner_len; |
| 591 | 592 | ||
| 592 | CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); | 593 | CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); |
| 593 | 594 | ||