From b16c13ed2fd774b1e93a0165b809fda9376b3fc4 Mon Sep 17 00:00:00 2001
From: markus <>
Date: Tue, 30 Jul 2002 16:00:16 +0000
Subject: sync with http://www.openssl.org/news/patch_20020730_0_9_7.txt (adds
 fix for unused kerberos and engine code, and some more assertions, as well as
 a 64bit integer string fix for conf_mod.c)

---
 src/lib/libssl/s3_srvr.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'src/lib/libssl/s3_srvr.c')

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 3748cd7c24..f03c290a3e 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -114,14 +114,14 @@
 
 
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/krb5_asn.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/md5.h>
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
@@ -1560,8 +1560,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		EVP_CIPHER		*enc = NULL;
 		unsigned char		iv[EVP_MAX_IV_LENGTH];
 		unsigned char		pms[SSL_MAX_MASTER_KEY_LENGTH
-						+ EVP_MAX_IV_LENGTH + 1];
-		int 			padl, outl = sizeof(pms);
+                                               + EVP_MAX_BLOCK_LENGTH];
+		int                     padl, outl;
 		krb5_timestamp		authtime = 0;
 		krb5_ticket_times	ttimes;
 
@@ -1584,6 +1584,16 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		enc_pms.data = (char *)p;
 		p+=enc_pms.length;
 
+		/* Note that the length is checked again below,
+		** after decryption
+		*/
+		if(enc_pms.length > sizeof pms)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+			       SSL_R_DATA_LENGTH_TOO_LONG);
+			goto err;
+			}
+
 		if (n != enc_ticket.length + authenticator.length +
 						enc_pms.length + 6)
 			{
-- 
cgit v1.2.3-55-g6feb