From 2c12df5367b6b360d500ddef6381265e29dbce1a Mon Sep 17 00:00:00 2001 From: simon Date: Sun, 13 Feb 2011 11:09:39 +0000 Subject: [PATCH] MFS 218633: Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could cause OpenSSL to parse past the end of the message. Note: Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". The very quick merge is done to get this fix into 7.4 / 8.2. Approved by: re (bz) Obtained from: OpenSSL CVS Security: http://www.openssl.org/news/secadv_20110208.txt Security: CVE-2011-0014 git-svn-id: svn://svn.freebsd.org/base/releng/8.2@218635 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- crypto/openssl/ssl/t1_lib.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index 0cc8320e..92cac130 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } n2s(data, idsize); dsize -= 2 + idsize; + size -= 2 + idsize; if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; @@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } /* Read in request_extensions */ + if (size < 2) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } n2s(data,dsize); size -= 2; - if (dsize > size) + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; -- 2.42.0