From 53cf491d8405e23b0f0b5b740684df633ecec3b9 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 22 Sep 2016 12:33:50 +0000 Subject: Avoid unbounded memory growth, which can be triggered by a client repeatedly renegotiating and sending OCSP Status Request TLS extensions. Fix based on OpenSSL. --- src/lib/libssl/t1_lib.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 6853bc210e..3f66e2e6d0 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.89 2016/09/22 06:57:40 guenther Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.90 2016/09/22 12:33:50 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1444,10 +1444,28 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Read in responder_id_list */ n2s(data, dsize); size -= 2; - if (dsize > size ) { + if (dsize > size) { *al = SSL_AD_DECODE_ERROR; return 0; } + + /* + * We remove any OCSP_RESPIDs from a + * previous handshake to prevent + * unbounded memory growth. + */ + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, + OCSP_RESPID_free); + s->tlsext_ocsp_ids = NULL; + if (dsize > 0) { + s->tlsext_ocsp_ids = + sk_OCSP_RESPID_new_null(); + if (s->tlsext_ocsp_ids == NULL) { + *al = SSL_AD_INTERNAL_ERROR; + return 0; + } + } + while (dsize > 0) { OCSP_RESPID *id; int idsize; @@ -1475,13 +1493,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, *al = SSL_AD_DECODE_ERROR; return 0; } - if (!s->tlsext_ocsp_ids && - !(s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null())) { - OCSP_RESPID_free(id); - *al = SSL_AD_INTERNAL_ERROR; - return 0; - } if (!sk_OCSP_RESPID_push( s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id); -- cgit v1.2.3-55-g6feb