Fix possible buffer overrun.
(cherry picked from commit 2db3ea29298bdc347f15fbfab6d5746022f05101) Conflicts: ssl/ssl_locl.h ssl/t1_lib.c
This commit is contained in:
Ben Laurie
parent
daa96141d3
commit
70c739b8db
@ -1264,8 +1264,8 @@ int tls1_shared_list(SSL *s,
|
||||
const unsigned char *l1, size_t l1len,
|
||||
const unsigned char *l2, size_t l2len,
|
||||
int nmatch);
|
||||
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al);
|
||||
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al);
|
||||
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al);
|
||||
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al);
|
||||
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
|
||||
int ssl_check_clienthello_tlsext_late(SSL *s);
|
||||
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
|
||||
|
||||
34
ssl/t1_lib.c
34
ssl/t1_lib.c
@ -1089,10 +1089,11 @@ void ssl_set_client_disabled(SSL *s)
|
||||
c->valid = 1;
|
||||
}
|
||||
|
||||
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al)
|
||||
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
|
||||
{
|
||||
int extdatalen=0;
|
||||
unsigned char *ret = p;
|
||||
unsigned char *orig = buf;
|
||||
unsigned char *ret = buf;
|
||||
#ifndef OPENSSL_NO_EC
|
||||
/* See if we support any ECC ciphersuites */
|
||||
int using_ecc = 0;
|
||||
@ -1121,7 +1122,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
/* don't add extensions for SSLv3 unless doing secure renegotiation */
|
||||
if (s->client_version == SSL3_VERSION
|
||||
&& !s->s3->send_connection_binding)
|
||||
return p;
|
||||
return orig;
|
||||
|
||||
ret+=2;
|
||||
|
||||
@ -1170,7 +1171,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if((limit - p - 4 - el) < 0) return NULL;
|
||||
if((limit - ret - 4 - el) < 0) return NULL;
|
||||
|
||||
s2n(TLSEXT_TYPE_renegotiate,ret);
|
||||
s2n(el,ret);
|
||||
@ -1424,7 +1425,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
|
||||
ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
|
||||
|
||||
if((limit - p - 4 - el) < 0) return NULL;
|
||||
if((limit - ret - 4 - el) < 0) return NULL;
|
||||
|
||||
s2n(TLSEXT_TYPE_use_srtp,ret);
|
||||
s2n(el,ret);
|
||||
@ -1500,17 +1501,18 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
}
|
||||
}
|
||||
|
||||
if ((extdatalen = ret-p-2) == 0)
|
||||
return p;
|
||||
if ((extdatalen = ret-orig-2)== 0)
|
||||
return orig;
|
||||
|
||||
s2n(extdatalen,p);
|
||||
s2n(extdatalen, orig);
|
||||
return ret;
|
||||
}
|
||||
|
||||
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al)
|
||||
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit, int *al)
|
||||
{
|
||||
int extdatalen=0;
|
||||
unsigned char *ret = p;
|
||||
unsigned char *orig = buf;
|
||||
unsigned char *ret = buf;
|
||||
size_t i;
|
||||
custom_srv_ext_record *record;
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
@ -1524,7 +1526,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
#endif
|
||||
/* don't add extensions for SSLv3, unless doing secure renegotiation */
|
||||
if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
|
||||
return p;
|
||||
return orig;
|
||||
|
||||
ret+=2;
|
||||
if (ret>=limit) return NULL; /* this really never occurs, but ... */
|
||||
@ -1547,7 +1549,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if((limit - p - 4 - el) < 0) return NULL;
|
||||
if((limit - ret - 4 - el) < 0) return NULL;
|
||||
|
||||
s2n(TLSEXT_TYPE_renegotiate,ret);
|
||||
s2n(el,ret);
|
||||
@ -1628,7 +1630,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
|
||||
ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
|
||||
|
||||
if((limit - p - 4 - el) < 0) return NULL;
|
||||
if((limit - ret - 4 - el) < 0) return NULL;
|
||||
|
||||
s2n(TLSEXT_TYPE_use_srtp,ret);
|
||||
s2n(el,ret);
|
||||
@ -1739,10 +1741,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
ret += len;
|
||||
}
|
||||
|
||||
if ((extdatalen = ret-p-2)== 0)
|
||||
return p;
|
||||
if ((extdatalen = ret-orig-2)== 0)
|
||||
return orig;
|
||||
|
||||
s2n(extdatalen,p);
|
||||
s2n(extdatalen, orig);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user