generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix for CVE-2015-0291

Browse Source 
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.

Thanks to David Ramos of Stanford University for reporting this bug.

CVE-2015-0291

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/t1_lib.c
This commit is contained in:
Dr. Stephen Henson 2015-03-03 13:20:57 +00:00 committed by Matt Caswell
parent 4b22cce381
commit 76343947ad
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ssl/t1_lib.c
View File

@ -2967,6 +2967,7 @@ int tls1_set_server_sigalgs(SSL *s)
if (s->cert->shared_sigalgs) {
OPENSSL_free(s->cert->shared_sigalgs);
s->cert->shared_sigalgs = NULL;
s->cert->shared_sigalgslen = 0;
}
/* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) {
@ -3620,6 +3621,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
if (c->shared_sigalgs) {
OPENSSL_free(c->shared_sigalgs);
c->shared_sigalgs = NULL;
c->shared_sigalgslen = 0;
}
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
@ -3642,12 +3644,14 @@ static int tls1_set_shared_sigalgs(SSL *s)
preflen = c->peer_sigalgslen;
}
nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
if (!nmatch)
return 1;
salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
if (!salgs)
return 0;
nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
if (nmatch) {
salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
if (!salgs)
return 0;
nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
} else {
salgs = NULL;
}
c->shared_sigalgs = salgs;
c->shared_sigalgslen = nmatch;
return 1;