diff options
| author | tb <> | 2020-05-23 09:02:02 +0000 |
|---|---|---|
| committer | tb <> | 2020-05-23 09:02:02 +0000 |
| commit | b768c5c1492afd22be2c8863695e95abb86e767e (patch) | |
| tree | 21a3fe2768e487d453cfb95b21f3e4729753a9d7 /src | |
| parent | 600b8d8760845e0bc65bf4bd057ede30af717a4b (diff) | |
| download | openbsd-b768c5c1492afd22be2c8863695e95abb86e767e.tar.gz openbsd-b768c5c1492afd22be2c8863695e95abb86e767e.tar.bz2 openbsd-b768c5c1492afd22be2c8863695e95abb86e767e.zip | |
Avoid an out-of-bounds array access in the s_server.
It can be triggered by sending a line to stdin while no connection
is open and then connecting a client. The first SSL_write() fails,
sends SSL_ERROR_WANT_* and then causes a segfault deep down in the
tls stack when accessing &(buf[-1]).
ok beck inoguchi
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/openssl/s_server.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index b397e6966d..e0838b2b50 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s_server.c,v 1.35 2020/05/13 10:18:03 inoguchi Exp $ */ | 1 | /* $OpenBSD: s_server.c,v 1.36 2020/05/23 09:02:02 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1502,6 +1502,8 @@ sv_body(char *hostname, int s, unsigned char *context) | |||
| 1502 | ret = 1; | 1502 | ret = 1; |
| 1503 | goto err; | 1503 | goto err; |
| 1504 | } | 1504 | } |
| 1505 | if (k <= 0) | ||
| 1506 | continue; | ||
| 1505 | l += k; | 1507 | l += k; |
| 1506 | i -= k; | 1508 | i -= k; |
| 1507 | if (i <= 0) | 1509 | if (i <= 0) |