Date: Sun, 13 Feb 2011 10:24:36 +0000 (UTC) From: "Simon L. Nielsen" <simon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r218634 - stable/7/crypto/openssl/ssl Message-ID: <201102131024.p1DAOap4033959@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: simon Date: Sun Feb 13 10:24:36 2011 New Revision: 218634 URL: http://svn.freebsd.org/changeset/base/218634 Log: MFC 218625: Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could cause OpenSSL to parse past the end of the message. Note: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". The very quick MFC is done to get this fix into 7.4 / 8.2. Discussed with: re Approved by: so (simon, for "instant" MFC) Obtained from: OpenSSL CVS Security: http://www.openssl.org/news/secadv_20110208.txt Security: CVE-2011-0014 Modified: stable/7/crypto/openssl/ssl/t1_lib.c Directory Properties: stable/7/crypto/openssl/ (props changed) Modified: stable/7/crypto/openssl/ssl/t1_lib.c ============================================================================== --- stable/7/crypto/openssl/ssl/t1_lib.c Sun Feb 13 10:22:43 2011 (r218633) +++ stable/7/crypto/openssl/ssl/t1_lib.c Sun Feb 13 10:24:36 2011 (r218634) @@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102131024.p1DAOap4033959>