diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 33 | 
1 files changed, 19 insertions, 14 deletions
| diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index c595fa31cc..ab8e74e63a 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.108 2015/06/18 22:51:05 doug Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.109 2015/06/20 17:04:07 doug Exp $ */ | 
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 
| 3 | * All rights reserved. | 3 | * All rights reserved. | 
| 4 | * | 4 | * | 
| @@ -164,6 +164,8 @@ | |||
| 164 | #include <openssl/objects.h> | 164 | #include <openssl/objects.h> | 
| 165 | #include <openssl/x509.h> | 165 | #include <openssl/x509.h> | 
| 166 | 166 | ||
| 167 | #include "bytestring.h" | ||
| 168 | |||
| 167 | static const SSL_METHOD *ssl3_get_server_method(int ver); | 169 | static const SSL_METHOD *ssl3_get_server_method(int ver); | 
| 168 | 170 | ||
| 169 | const SSL_METHOD SSLv3_server_method_data = { | 171 | const SSL_METHOD SSLv3_server_method_data = { | 
| @@ -2702,10 +2704,10 @@ ssl3_send_cert_status(SSL *s) | |||
| 2702 | int | 2704 | int | 
| 2703 | ssl3_get_next_proto(SSL *s) | 2705 | ssl3_get_next_proto(SSL *s) | 
| 2704 | { | 2706 | { | 
| 2707 | CBS cbs, proto, padding; | ||
| 2705 | int ok; | 2708 | int ok; | 
| 2706 | int proto_len, padding_len; | ||
| 2707 | long n; | 2709 | long n; | 
| 2708 | const unsigned char *p; | 2710 | size_t len; | 
| 2709 | 2711 | ||
| 2710 | /* | 2712 | /* | 
| 2711 | * Clients cannot send a NextProtocol message if we didn't see the | 2713 | * Clients cannot send a NextProtocol message if we didn't see the | 
| @@ -2738,7 +2740,7 @@ ssl3_get_next_proto(SSL *s) | |||
| 2738 | return (0); | 2740 | return (0); | 
| 2739 | /* The body must be > 1 bytes long */ | 2741 | /* The body must be > 1 bytes long */ | 
| 2740 | 2742 | ||
| 2741 | p = (unsigned char *)s->init_msg; | 2743 | CBS_init(&cbs, s->init_msg, s->init_num); | 
| 2742 | 2744 | ||
| 2743 | /* | 2745 | /* | 
| 2744 | * The payload looks like: | 2746 | * The payload looks like: | 
| @@ -2747,21 +2749,24 @@ ssl3_get_next_proto(SSL *s) | |||
| 2747 | * uint8 padding_len; | 2749 | * uint8 padding_len; | 
| 2748 | * uint8 padding[padding_len]; | 2750 | * uint8 padding[padding_len]; | 
| 2749 | */ | 2751 | */ | 
| 2750 | proto_len = p[0]; | 2752 | if (!CBS_get_u8_length_prefixed(&cbs, &proto) || | 
| 2751 | if (proto_len + 2 > s->init_num) | 2753 | !CBS_get_u8_length_prefixed(&cbs, &padding) || | 
| 2752 | return (0); | 2754 | CBS_len(&cbs) != 0) | 
| 2753 | padding_len = p[proto_len + 1]; | 2755 | return 0; | 
| 2754 | if (proto_len + padding_len + 2 != s->init_num) | 2756 | |
| 2755 | return (0); | 2757 | /* | 
| 2758 | * XXX We should not NULL it, but this matches old behavior of not | ||
| 2759 | * freeing before malloc. | ||
| 2760 | */ | ||
| 2761 | s->next_proto_negotiated = NULL; | ||
| 2762 | s->next_proto_negotiated_len = 0; | ||
| 2756 | 2763 | ||
| 2757 | s->next_proto_negotiated = malloc(proto_len); | 2764 | if (!CBS_stow(&proto, &s->next_proto_negotiated, &len)) { | 
| 2758 | if (!s->next_proto_negotiated) { | ||
| 2759 | SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, | 2765 | SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, | 
| 2760 | ERR_R_MALLOC_FAILURE); | 2766 | ERR_R_MALLOC_FAILURE); | 
| 2761 | return (0); | 2767 | return (0); | 
| 2762 | } | 2768 | } | 
| 2763 | memcpy(s->next_proto_negotiated, p + 1, proto_len); | 2769 | s->next_proto_negotiated_len = (uint8_t)len; | 
| 2764 | s->next_proto_negotiated_len = proto_len; | ||
| 2765 | 2770 | ||
| 2766 | return (1); | 2771 | return (1); | 
| 2767 | } | 2772 | } | 
