generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix buffer overflow in SSL_get_shared_ciphers() function.

Browse Source 
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]

Fix SSL client code which could crash if connecting to a
 malicious SSLv2 server.  (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
This commit is contained in:
Mark J. Cox 2006-09-28 13:18:43 +00:00
parent cbb92dfaf0
commit 3ff55e9680
4 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
CHANGES
View File

@ -4,6 +4,13 @@
Changes between 0.9.8d and 0.9.9 [xx XXX xxxx] Changes between 0.9.8d and 0.9.9 [xx XXX xxxx]
*) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
*) Fix SSL client code which could crash if connecting to a
malicious SSLv2 server. (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
to external functions. This can be used to increase CRL handling to external functions. This can be used to increase CRL handling
efficiency especially when CRLs are very large by (for example) storing efficiency especially when CRLs are very large by (for example) storing
@ -408,6 +415,20 @@
Changes between 0.9.8c and 0.9.8d [xx XXX xxxx] Changes between 0.9.8c and 0.9.8d [xx XXX xxxx]
*) Introduce limits to prevent malicious keys being able to
cause a denial of service. (CVE-2006-2940)
[Steve Henson, Bodo Moeller]
*) Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service. (CVE-2006-2937) [Steve Henson]
*) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
*) Fix SSL client code which could crash if connecting to a
malicious SSLv2 server. (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
match only those. Before that, "AES256-SHA" would be interpreted match only those. Before that, "AES256-SHA" would be interpreted
as a pattern and match "AES128-SHA" too (since AES128-SHA got as a pattern and match "AES128-SHA" too (since AES128-SHA got

3
ssl/s2_clnt.c
View File

@ -520,7 +520,8 @@ static int get_server_hello(SSL *s)
CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509); CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
} }
if (s->session->peer != s->session->sess_cert->peer_key->x509) if (s->session->sess_cert == NULL
|| s->session->peer != s->session->sess_cert->peer_key->x509)
/* can't happen */ /* can't happen */
{ {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);

2
ssl/s3_srvr.c
View File

@ -2089,7 +2089,7 @@ int ssl3_get_client_key_exchange(SSL *s)
if (kssl_ctx->client_princ) if (kssl_ctx->client_princ)
{ {
int len = strlen(kssl_ctx->client_princ); size_t len = strlen(kssl_ctx->client_princ);
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
{ {
s->session->krb5_client_princ_len = len; s->session->krb5_client_princ_len = len;

2
ssl/ssl_lib.c
View File

@ -1272,7 +1272,7 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
c=sk_SSL_CIPHER_value(sk,i); c=sk_SSL_CIPHER_value(sk,i);
for (cp=c->name; *cp; ) for (cp=c->name; *cp; )
{ {
if (len-- == 0) if (len-- <= 0)
{ {
*p='\0'; *p='\0';
return(buf); return(buf);