generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix CVE-2010-3864

Browse Source
This commit is contained in:
Dr. Stephen Henson
2010-11-16 14:26:18 +00:00
parent 3e8b8b8990
commit 2ae47ddbc2
3 changed files with 23 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -4,6 +4,11 @@
Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
*) Fix extension code to avoid race conditions which can result in a buffer
overrun vulnerability: resumed sessions must not be modified as they can
be shared by multiple threads. CVE-2010-3864
[Steve Henson]
*) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
[Steve Henson] [Steve Henson]

4
NEWS
View File

@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
o Fix for security issue CVE-2010-3864.
Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o: Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
o Fix for security issue CVE-2010-0742. o Fix for security issue CVE-2010-0742.

18
ssl/t1_lib.c
View File

@@ -432,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
switch (servname_type) switch (servname_type)
{ {
case TLSEXT_NAMETYPE_host_name: case TLSEXT_NAMETYPE_host_name:
if (s->session->tlsext_hostname == NULL) if (!s->hit)
{ {
if (len > TLSEXT_MAXLEN_host_name || if(s->session->tlsext_hostname)
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) {
*al = SSL_AD_DECODE_ERROR;
return 0;
}
if (len > TLSEXT_MAXLEN_host_name)
{ {
*al = TLS1_AD_UNRECOGNIZED_NAME; *al = TLS1_AD_UNRECOGNIZED_NAME;
return 0; return 0;
} }
if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
{
*al = TLS1_AD_INTERNAL_ERROR;
return 0;
}
memcpy(s->session->tlsext_hostname, sdata, len); memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0'; s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) { if (strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
} }
else else
s->servername_done = strlen(s->session->tlsext_hostname) == len s->servername_done = s->session->tlsext_hostname
&& strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break; break;