diff options
| author | jsing <> | 2014-12-06 13:21:14 +0000 |
|---|---|---|
| committer | jsing <> | 2014-12-06 13:21:14 +0000 |
| commit | 620adf8d12a202de54144b22b6ee4fa8c70e16bf (patch) | |
| tree | ecde56057a06347cb25e0cc2bfb919af7f2359a9 /src | |
| parent | ed70f604ab1caa2ae3105a6ca2366e741deb8732 (diff) | |
| download | openbsd-620adf8d12a202de54144b22b6ee4fa8c70e16bf.tar.gz openbsd-620adf8d12a202de54144b22b6ee4fa8c70e16bf.tar.bz2 openbsd-620adf8d12a202de54144b22b6ee4fa8c70e16bf.zip | |
Fix two cases where it is possible to read one or two bytes past the end of
the buffer. The later size check would catch this, however reading first
and checking later is less than ideal.
ok miod@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 18 | ||||
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 18 |
2 files changed, 30 insertions, 6 deletions
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 2a53b09ed2..3412e70d30 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.68 2014/12/02 20:46:19 miod Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.69 2014/12/06 13:21:14 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1334,7 +1334,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1334 | else if (type == TLSEXT_TYPE_ec_point_formats && | 1334 | else if (type == TLSEXT_TYPE_ec_point_formats && |
| 1335 | s->version != DTLS1_VERSION) { | 1335 | s->version != DTLS1_VERSION) { |
| 1336 | unsigned char *sdata = data; | 1336 | unsigned char *sdata = data; |
| 1337 | int ecpointformatlist_length = *(sdata++); | 1337 | int ecpointformatlist_length; |
| 1338 | |||
| 1339 | if (size < 1) { | ||
| 1340 | *al = SSL_AD_DECODE_ERROR; | ||
| 1341 | return 0; | ||
| 1342 | } | ||
| 1343 | ecpointformatlist_length = *(sdata++); | ||
| 1338 | 1344 | ||
| 1339 | if (ecpointformatlist_length != size - 1) { | 1345 | if (ecpointformatlist_length != size - 1) { |
| 1340 | *al = TLS1_AD_DECODE_ERROR; | 1346 | *al = TLS1_AD_DECODE_ERROR; |
| @@ -1354,7 +1360,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1354 | } else if (type == TLSEXT_TYPE_elliptic_curves && | 1360 | } else if (type == TLSEXT_TYPE_elliptic_curves && |
| 1355 | s->version != DTLS1_VERSION) { | 1361 | s->version != DTLS1_VERSION) { |
| 1356 | unsigned char *sdata = data; | 1362 | unsigned char *sdata = data; |
| 1357 | int ellipticcurvelist_length = (*(sdata++) << 8); | 1363 | int ellipticcurvelist_length; |
| 1364 | |||
| 1365 | if (size < 2) { | ||
| 1366 | *al = SSL_AD_DECODE_ERROR; | ||
| 1367 | return 0; | ||
| 1368 | } | ||
| 1369 | ellipticcurvelist_length = (*(sdata++) << 8); | ||
| 1358 | ellipticcurvelist_length += (*(sdata++)); | 1370 | ellipticcurvelist_length += (*(sdata++)); |
| 1359 | 1371 | ||
| 1360 | if (ellipticcurvelist_length != size - 2 || | 1372 | if (ellipticcurvelist_length != size - 2 || |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 2a53b09ed2..3412e70d30 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.68 2014/12/02 20:46:19 miod Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.69 2014/12/06 13:21:14 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1334,7 +1334,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1334 | else if (type == TLSEXT_TYPE_ec_point_formats && | 1334 | else if (type == TLSEXT_TYPE_ec_point_formats && |
| 1335 | s->version != DTLS1_VERSION) { | 1335 | s->version != DTLS1_VERSION) { |
| 1336 | unsigned char *sdata = data; | 1336 | unsigned char *sdata = data; |
| 1337 | int ecpointformatlist_length = *(sdata++); | 1337 | int ecpointformatlist_length; |
| 1338 | |||
| 1339 | if (size < 1) { | ||
| 1340 | *al = SSL_AD_DECODE_ERROR; | ||
| 1341 | return 0; | ||
| 1342 | } | ||
| 1343 | ecpointformatlist_length = *(sdata++); | ||
| 1338 | 1344 | ||
| 1339 | if (ecpointformatlist_length != size - 1) { | 1345 | if (ecpointformatlist_length != size - 1) { |
| 1340 | *al = TLS1_AD_DECODE_ERROR; | 1346 | *al = TLS1_AD_DECODE_ERROR; |
| @@ -1354,7 +1360,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, | |||
| 1354 | } else if (type == TLSEXT_TYPE_elliptic_curves && | 1360 | } else if (type == TLSEXT_TYPE_elliptic_curves && |
| 1355 | s->version != DTLS1_VERSION) { | 1361 | s->version != DTLS1_VERSION) { |
| 1356 | unsigned char *sdata = data; | 1362 | unsigned char *sdata = data; |
| 1357 | int ellipticcurvelist_length = (*(sdata++) << 8); | 1363 | int ellipticcurvelist_length; |
| 1364 | |||
| 1365 | if (size < 2) { | ||
| 1366 | *al = SSL_AD_DECODE_ERROR; | ||
| 1367 | return 0; | ||
| 1368 | } | ||
| 1369 | ellipticcurvelist_length = (*(sdata++) << 8); | ||
| 1358 | ellipticcurvelist_length += (*(sdata++)); | 1370 | ellipticcurvelist_length += (*(sdata++)); |
| 1359 | 1371 | ||
| 1360 | if (ellipticcurvelist_length != size - 2 || | 1372 | if (ellipticcurvelist_length != size - 2 || |