Submitted by: Bodo Moeller and Adam Langley (Google).
Fix for "Record of death" vulnerability CVE-2010-0740.
This commit is contained in:
Dr. Stephen Henson
11
CHANGES
11
CHANGES
@@ -2,7 +2,16 @@
|
|||||||
OpenSSL CHANGES
|
OpenSSL CHANGES
|
||||||
_______________
|
_______________
|
||||||
|
|
||||||
Changes between 0.9.8m and 0.9.8n [xx XXX xxxx]
|
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
|
||||||
|
|
||||||
|
*) When rejecting SSL/TLS records due to an incorrect version number, never
|
||||||
|
update s->server with a new major version number. As of
|
||||||
|
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
|
||||||
|
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
|
||||||
|
the previous behavior could result in a read attempt at NULL when
|
||||||
|
receiving specific incorrect SSL/TLS records once record payload
|
||||||
|
protection is active. (CVE-2010-0740)
|
||||||
|
[Bodo Moeller, Adam Langley <agl@chromium.org>]
|
||||||
|
|
||||||
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
|
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
|
||||||
could be crashed if the relevant tables were not present (e.g. chrooted).
|
could be crashed if the relevant tables were not present (e.g. chrooted).
|
||||||
|
|||||||
@@ -291,9 +291,9 @@ again:
|
|||||||
if (version != s->version)
|
if (version != s->version)
|
||||||
{
|
{
|
||||||
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
|
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
|
||||||
/* Send back error using their
|
if ((s->version & 0xFF00) == (version & 0xFF00))
|
||||||
* version number :-) */
|
/* Send back error using their minor version number :-) */
|
||||||
s->version=version;
|
s->version = (unsigned short)version;
|
||||||
al=SSL_AD_PROTOCOL_VERSION;
|
al=SSL_AD_PROTOCOL_VERSION;
|
||||||
goto f_err;
|
goto f_err;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user