generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix possible buffer overrun.

Browse Source
This commit is contained in:
Ben Laurie 2014-04-23 18:13:20 +01:00
parent c28b055a0c
commit 2db3ea2929
2 changed files with 20 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/ssl_locl.h
View File

@ -1096,8 +1096,8 @@ int tls1_ec_nid2curve_id(int nid);
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit);
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_clienthello_tlsext(SSL *s);

34
ssl/t1_lib.c
View File

@ -352,15 +352,16 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
return (int)slen; return (int)slen;
} }
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
{ {
int extdatalen=0; int extdatalen=0;
unsigned char *ret = p; unsigned char *orig = buf;
unsigned char *ret = buf;
/* don't add extensions for SSLv3 unless doing secure renegotiation */ /* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION if (s->client_version == SSL3_VERSION
&& !s->s3->send_connection_binding) && !s->s3->send_connection_binding)
return p; return orig;
ret+=2; ret+=2;
@ -409,7 +410,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
return NULL; return NULL;
} }
if((limit - p - 4 - el) < 0) return NULL; if((limit - ret - 4 - el) < 0) return NULL;
s2n(TLSEXT_TYPE_renegotiate,ret); s2n(TLSEXT_TYPE_renegotiate,ret);
s2n(el,ret); s2n(el,ret);
@ -650,7 +651,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
if((limit - p - 4 - el) < 0) return NULL; if((limit - ret - 4 - el) < 0) return NULL;
s2n(TLSEXT_TYPE_use_srtp,ret); s2n(TLSEXT_TYPE_use_srtp,ret);
s2n(el,ret); s2n(el,ret);
@ -693,24 +694,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
} }
} }
if ((extdatalen = ret-p-2)== 0) if ((extdatalen = ret-orig-2)== 0)
return p; return orig;
s2n(extdatalen,p); s2n(extdatalen, orig);
return ret; return ret;
} }
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
{ {
int extdatalen=0; int extdatalen=0;
unsigned char *ret = p; unsigned char *orig = buf;
unsigned char *ret = buf;
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen; int next_proto_neg_seen;
#endif #endif
/* don't add extensions for SSLv3, unless doing secure renegotiation */ /* don't add extensions for SSLv3, unless doing secure renegotiation */
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
return p; return orig;
ret+=2; ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */ if (ret>=limit) return NULL; /* this really never occurs, but ... */
@ -733,7 +735,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
return NULL; return NULL;
} }
if((limit - p - 4 - el) < 0) return NULL; if((limit - ret - 4 - el) < 0) return NULL;
s2n(TLSEXT_TYPE_renegotiate,ret); s2n(TLSEXT_TYPE_renegotiate,ret);
s2n(el,ret); s2n(el,ret);
@ -813,7 +815,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
if((limit - p - 4 - el) < 0) return NULL; if((limit - ret - 4 - el) < 0) return NULL;
s2n(TLSEXT_TYPE_use_srtp,ret); s2n(TLSEXT_TYPE_use_srtp,ret);
s2n(el,ret); s2n(el,ret);
@ -884,10 +886,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
} }
#endif #endif
if ((extdatalen = ret-p-2)== 0) if ((extdatalen = ret-orig-2)== 0)
return p; return orig;
s2n(extdatalen,p); s2n(extdatalen, orig);
return ret; return ret;
} }