From 9566d97d91fecf6448578e21116b0bc95b9a5e0c Mon Sep 17 00:00:00 2001
From: jasper <>
Date: Wed, 14 Apr 2010 12:41:05 +0000
Subject: Security fix for CVE-2010-0740

"In TLS connections, certain incorrectly formatted records can cause an OpenSSL
client or server to crash due to a read attempt at NULL."

http://openssl.org/news/secadv_20100324.txt

ok deraadt@ djm@ sthen@
---
 src/lib/libssl/s3_pkt.c         | 7 ++++---
 src/lib/libssl/src/ssl/s3_pkt.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index b98b84044f..515739c08c 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -282,9 +282,10 @@ again:
 			if (version != s->version)
 				{
 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-				/* Send back error using their
-				 * version number :-) */
-				s->version=version;
+                                if ((s->version & 0xFF00) == (version & 0xFF00))
+                                	/* Send back error using their
+					 * minor version number :-) */
+					s->version = (unsigned short)version;
 				al=SSL_AD_PROTOCOL_VERSION;
 				goto f_err;
 				}
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index b98b84044f..515739c08c 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -282,9 +282,10 @@ again:
 			if (version != s->version)
 				{
 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-				/* Send back error using their
-				 * version number :-) */
-				s->version=version;
+                                if ((s->version & 0xFF00) == (version & 0xFF00))
+                                	/* Send back error using their
+					 * minor version number :-) */
+					s->version = (unsigned short)version;
 				al=SSL_AD_PROTOCOL_VERSION;
 				goto f_err;
 				}
-- 
cgit v1.2.3-55-g6feb