From a3a119832527c9b5473b68f806e954fa8a158e87 Mon Sep 17 00:00:00 2001 From: delphij Date: Fri, 27 Jan 2017 07:45:06 +0000 Subject: [PATCH] Backport OpenSSL commit 56336b6c7a75ed28067cadedd8ac46572348bc2f: MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit crypto/evp: harden RC4_MD5 cipher. Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory (or bogus MAC value is produced if x86 MD5 assembly module is involved). Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Thanks to Robert Święcki for report. This is a direct commit to stable/10. Security: CVE-2017-3731 git-svn-id: svn://svn.freebsd.org/base/stable/10@312863 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- crypto/openssl/crypto/evp/e_rc4_hmac_md5.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c b/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c index 2da111782..ca539132c 100644 --- a/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c @@ -267,6 +267,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { + if (len < MD5_DIGEST_LENGTH) + return -1; len -= MD5_DIGEST_LENGTH; p[arg - 2] = len >> 8; p[arg - 1] = len; -- 2.45.0