From b35fdb6ff39ff4535528cc5246fd9dbe3465eed4 Mon Sep 17 00:00:00 2001 From: djm <> Date: Thu, 10 Feb 2011 22:40:27 +0000 Subject: fix for CVE-2011-0014 "OCSP stapling vulnerability"; ok markus@ jasper@ miod@ AFAIK nothing in base uses this, though apache2 from ports may be affected. --- src/lib/libssl/src/ssl/t1_lib.c | 8 +++++++- src/lib/libssl/t1_lib.c | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 833fc172de..0baa70663a 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c @@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 833fc172de..0baa70663a 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; -- cgit v1.2.3-55-g6feb