From 3b6d92e82b1421b811bcdec7f7fdfb31eeef18de Mon Sep 17 00:00:00 2001
From: jca <>
Date: Thu, 27 Feb 2014 21:04:57 +0000
Subject: SECURITY fixes backported from openssl-1.0.1f.  ok mikeb@

CVE-2013-4353 NULL pointer dereference with crafted Next Protocol
 Negotiation record in TLS handshake.
Upstream: 197e0ea

CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client.
Upstream: ca98926, 0294b2b

CVE-2013-6450 Fix DTLS retransmission from previous session.
Upstream: 3462896
---
 src/lib/libssl/s3_pkt.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/s3_pkt.c')

diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index a7d2defbea..c499c29cb5 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -1458,8 +1458,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
 		slen=s->method->ssl3_enc->client_finished_label_len;
 		}
 
-	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
+	i = s->method->ssl3_enc->final_finish_mac(s,
 		sender,slen,s->s3->tmp.peer_finish_md);
+	if (i == 0)
+		{
+		SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+		return 0;
+		}
+	s->s3->tmp.peer_finish_md_len = i;
 
 	return(1);
 	}
-- 
cgit v1.2.3-55-g6feb