From 620adf8d12a202de54144b22b6ee4fa8c70e16bf Mon Sep 17 00:00:00 2001 From: jsing <> Date: Sat, 6 Dec 2014 13:21:14 +0000 Subject: Fix two cases where it is possible to read one or two bytes past the end of the buffer. The later size check would catch this, however reading first and checking later is less than ideal. ok miod@ --- src/lib/libssl/src/ssl/t1_lib.c | 18 +++++++++++++++--- src/lib/libssl/t1_lib.c | 18 +++++++++++++++--- 2 files changed, 30 insertions(+), 6 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 2a53b09ed2..3412e70d30 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.68 2014/12/02 20:46:19 miod Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.69 2014/12/06 13:21:14 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1334,7 +1334,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; - int ecpointformatlist_length = *(sdata++); + int ecpointformatlist_length; + + if (size < 1) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) { *al = TLS1_AD_DECODE_ERROR; @@ -1354,7 +1360,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; - int ellipticcurvelist_length = (*(sdata++) << 8); + int ellipticcurvelist_length; + + if (size < 2) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 2a53b09ed2..3412e70d30 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.68 2014/12/02 20:46:19 miod Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.69 2014/12/06 13:21:14 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1334,7 +1334,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, else if (type == TLSEXT_TYPE_ec_point_formats && s->version != DTLS1_VERSION) { unsigned char *sdata = data; - int ecpointformatlist_length = *(sdata++); + int ecpointformatlist_length; + + if (size < 1) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + ecpointformatlist_length = *(sdata++); if (ecpointformatlist_length != size - 1) { *al = TLS1_AD_DECODE_ERROR; @@ -1354,7 +1360,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } else if (type == TLSEXT_TYPE_elliptic_curves && s->version != DTLS1_VERSION) { unsigned char *sdata = data; - int ellipticcurvelist_length = (*(sdata++) << 8); + int ellipticcurvelist_length; + + if (size < 2) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || -- cgit v1.2.3-55-g6feb