The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8, making it still vulnerable. Fix by rejecting negative len parameter. Thanks to the many people who reported this bug and to Tomas Hoger <thoger@redhat.com> for supplying the fix.
This commit is contained in:
parent
747c6ffda4
commit
8d038a08fb
6
CHANGES
6
CHANGES
@ -4,7 +4,11 @@
|
||||
|
||||
Changes between 0.9.8v and 0.9.8w [xx XXX xxxx]
|
||||
|
||||
*)
|
||||
*) The fix for CVE-2012-2110 did not take into account that the
|
||||
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
|
||||
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
|
||||
rejecting negative len parameter. (CVE-2012-2131)
|
||||
[Tomas Hoger <thoger@redhat.com>]
|
||||
|
||||
Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
|
||||
|
||||
|
@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
|
||||
char *ret;
|
||||
unsigned int n;
|
||||
|
||||
if (len < 0)
|
||||
{
|
||||
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
if (str->length >= len)
|
||||
{
|
||||
str->length=len;
|
||||
@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
|
||||
char *ret;
|
||||
unsigned int n;
|
||||
|
||||
if (len < 0)
|
||||
{
|
||||
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
if (str->length >= len)
|
||||
{
|
||||
memset(&str->data[len],0,str->length-len);
|
||||
|
Loading…
x
Reference in New Issue
Block a user