From owner-svn-src-all@FreeBSD.ORG Sun Feb 13 11:10:57 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6932106566C; Sun, 13 Feb 2011 11:10:57 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 94B0D8FC0A; Sun, 13 Feb 2011 11:10:57 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p1DBAvLp037281; Sun, 13 Feb 2011 11:10:57 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p1DBAv2l037279; Sun, 13 Feb 2011 11:10:57 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <201102131110.p1DBAv2l037279@svn.freebsd.org> From: "Simon L. Nielsen" Date: Sun, 13 Feb 2011 11:10:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r218636 - releng/7.4/crypto/openssl/ssl X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2011 11:10:57 -0000 Author: simon Date: Sun Feb 13 11:10:57 2011 New Revision: 218636 URL: http://svn.freebsd.org/changeset/base/218636 Log: MFS 218634: Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could cause OpenSSL to parse past the end of the message. Note: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". The very quick merge is done to get this fix into 7.4 / 8.2. Approved by: re (bz) Obtained from: OpenSSL CVS Security: http://www.openssl.org/news/secadv_20110208.txt Security: CVE-2011-0014 Modified: releng/7.4/crypto/openssl/ssl/t1_lib.c Directory Properties: releng/7.4/crypto/openssl/ (props changed) Modified: releng/7.4/crypto/openssl/ssl/t1_lib.c ============================================================================== --- releng/7.4/crypto/openssl/ssl/t1_lib.c Sun Feb 13 11:09:39 2011 (r218635) +++ releng/7.4/crypto/openssl/ssl/t1_lib.c Sun Feb 13 11:10:57 2011 (r218636) @@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0;