The fix for CVE-2012-2110 did not take into account that the

'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.

Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.
This commit is contained in:
Dr. Stephen Henson 2012-04-23 20:35:55 +00:00
parent 747c6ffda4
commit 8d038a08fb
2 changed files with 15 additions and 1 deletions

View File

@ -4,7 +4,11 @@
Changes between 0.9.8v and 0.9.8w [xx XXX xxxx]
*)
*) The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter. (CVE-2012-2131)
[Tomas Hoger <thoger@redhat.com>]
Changes between 0.9.8u and 0.9.8v [19 Apr 2012]

View File

@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
char *ret;
unsigned int n;
if (len < 0)
{
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
return 0;
}
if (str->length >= len)
{
str->length=len;
@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
char *ret;
unsigned int n;
if (len < 0)
{
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
return 0;
}
if (str->length >= len)
{
memset(&str->data[len],0,str->length-len);