2 files changed, 32 insertions, 0 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 57f1d3f52a..deb3cffabe 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
+                if (n < enc_ticket.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                enc_ticket.data = (char *)p;
                p+=enc_ticket.length;
                n2s(p,i);
                authenticator.length = i;
+                if (n < enc_ticket.length + authenticator.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                authenticator.data = (char *)p;
                p+=authenticator.length;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 57f1d3f52a..deb3cffabe 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                n2s(p,i);
                enc_ticket.length = i;
+                if (n < enc_ticket.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                enc_ticket.data = (char *)p;
                p+=enc_ticket.length;
                n2s(p,i);
                authenticator.length = i;
+                if (n < enc_ticket.length + authenticator.length + 6)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                                SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                authenticator.data = (char *)p;
                p+=authenticator.length;

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 57f1d3f52a..deb3cffabe 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
1588		1588
1589	n2s(p,i);	1589	n2s(p,i);
1590	enc_ticket.length = i;	1590	enc_ticket.length = i;
		1591
		1592	if (n < enc_ticket.length + 6)
		1593	{
		1594	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1595	SSL_R_DATA_LENGTH_TOO_LONG);
		1596	goto err;
		1597	}
		1598
1591	enc_ticket.data = (char *)p;	1599	enc_ticket.data = (char *)p;
1592	p+=enc_ticket.length;	1600	p+=enc_ticket.length;
1593		1601
1594	n2s(p,i);	1602	n2s(p,i);
1595	authenticator.length = i;	1603	authenticator.length = i;
		1604
		1605	if (n < enc_ticket.length + authenticator.length + 6)
		1606	{
		1607	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1608	SSL_R_DATA_LENGTH_TOO_LONG);
		1609	goto err;
		1610	}
		1611
1596	authenticator.data = (char *)p;	1612	authenticator.data = (char *)p;
1597	p+=authenticator.length;	1613	p+=authenticator.length;
1598		1614


diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 57f1d3f52a..deb3cffabe 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
1588		1588
1589	n2s(p,i);	1589	n2s(p,i);
1590	enc_ticket.length = i;	1590	enc_ticket.length = i;
		1591
		1592	if (n < enc_ticket.length + 6)
		1593	{
		1594	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1595	SSL_R_DATA_LENGTH_TOO_LONG);
		1596	goto err;
		1597	}
		1598
1591	enc_ticket.data = (char *)p;	1599	enc_ticket.data = (char *)p;
1592	p+=enc_ticket.length;	1600	p+=enc_ticket.length;
1593		1601
1594	n2s(p,i);	1602	n2s(p,i);
1595	authenticator.length = i;	1603	authenticator.length = i;
		1604
		1605	if (n < enc_ticket.length + authenticator.length + 6)
		1606	{
		1607	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
		1608	SSL_R_DATA_LENGTH_TOO_LONG);
		1609	goto err;
		1610	}
		1611
1596	authenticator.data = (char *)p;	1612	authenticator.data = (char *)p;
1597	p+=authenticator.length;	1613	p+=authenticator.length;
1598		1614