1 files changed, 15 insertions, 10 deletions
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 8f05c4abc8..2974691e3c 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srtp.c,v 1.13 2015/07/15 21:52:02 beck Exp $ */
+/* $OpenBSD: d1_srtp.c,v 1.14 2015/07/17 17:36:24 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -404,32 +404,37 @@ ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
 int
-ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len, int *al)
+ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, int len, int *al)
 {
        STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
        SRTP_PROTECTION_PROFILE *prof;
-        unsigned id;
        int i;
-        int ct;
+        uint16_t id;
+        CBS cbs, profile_ids, mki;
-        if (len != 5) {
+        if (len < 0) {
                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
                    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                *al = SSL_AD_DECODE_ERROR;
                return 1;
        }
-        n2s(d, ct);
+        CBS_init(&cbs, d, len);
-        if (ct != 2) {
+        /*
+         * As per RFC 5764 section 4.1.1, server response MUST be a single
+         * profile id.
+         */
+        if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) ||
+            !CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) {
                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
                    SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
                *al = SSL_AD_DECODE_ERROR;
                return 1;
        }
-        n2s(d, id);
+        /* Must be no MKI, since we never offer one. */
-        if (*d) {
+        if (!CBS_get_u8_length_prefixed(&cbs, &mki) || CBS_len(&mki) != 0) {
-                /* Must be no MKI, since we never offer one. */
                SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
                    SSL_R_BAD_SRTP_MKI_VALUE);
                *al = SSL_AD_ILLEGAL_PARAMETER;

diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c index 8f05c4abc8..2974691e3c 100644 --- a/src/lib/libssl/d1_srtp.c +++ b/src/lib/libssl/d1_srtp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_srtp.c,v 1.13 2015/07/15 21:52:02 beck Exp $ */	1	/* $OpenBSD: d1_srtp.c,v 1.14 2015/07/17 17:36:24 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -404,32 +404,37 @@ ssl_add_serverhello_use_srtp_ext(SSL s, unsigned char p, int *len, int maxlen)
404		404
405		405
406	int	406	int
407	ssl_parse_serverhello_use_srtp_ext(SSL s, unsigned char d, int len, int *al)	407	ssl_parse_serverhello_use_srtp_ext(SSL s, const unsigned char d, int len, int *al)
408	{	408	{
409	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;	409	STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
410	SRTP_PROTECTION_PROFILE *prof;	410	SRTP_PROTECTION_PROFILE *prof;
411	unsigned id;
412	int i;	411	int i;
413	int ct;	412	uint16_t id;
		413	CBS cbs, profile_ids, mki;
414		414
415	if (len != 5) {	415	if (len < 0) {
416	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,	416	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
417	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);	417	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
418	*al = SSL_AD_DECODE_ERROR;	418	*al = SSL_AD_DECODE_ERROR;
419	return 1;	419	return 1;
420	}	420	}
421		421
422	n2s(d, ct);	422	CBS_init(&cbs, d, len);
423	if (ct != 2) {	423
		424	/*
		425	* As per RFC 5764 section 4.1.1, server response MUST be a single
		426	* profile id.
		427	*/
		428	if (!CBS_get_u16_length_prefixed(&cbs, &profile_ids) \|\|
		429	!CBS_get_u16(&profile_ids, &id) \|\| CBS_len(&profile_ids) != 0) {
424	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,	430	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
425	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);	431	SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
426	*al = SSL_AD_DECODE_ERROR;	432	*al = SSL_AD_DECODE_ERROR;
427	return 1;	433	return 1;
428	}	434	}
429		435
430	n2s(d, id);	436	/* Must be no MKI, since we never offer one. */
431	if (*d) {	437	if (!CBS_get_u8_length_prefixed(&cbs, &mki) \|\| CBS_len(&mki) != 0) {
432	/* Must be no MKI, since we never offer one. */
433	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,	438	SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,
434	SSL_R_BAD_SRTP_MKI_VALUE);	439	SSL_R_BAD_SRTP_MKI_VALUE);
435	*al = SSL_AD_ILLEGAL_PARAMETER;	440	*al = SSL_AD_ILLEGAL_PARAMETER;