The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8, making it still vulnerable. Fix by rejecting negative len parameter. Thanks to the many people who reported this bug and to Tomas Hoger <thoger@redhat.com> for supplying the fix.
This commit is contained in:
Dr. Stephen Henson
parent
747c6ffda4
commit
8d038a08fb
6
CHANGES
6
CHANGES
@ -4,7 +4,11 @@
|
|||||||
|
|
||||||
Changes between 0.9.8v and 0.9.8w [xx XXX xxxx]
|
Changes between 0.9.8v and 0.9.8w [xx XXX xxxx]
|
||||||
|
|
||||||
*)
|
*) The fix for CVE-2012-2110 did not take into account that the
|
||||||
|
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
|
||||||
|
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
|
||||||
|
rejecting negative len parameter. (CVE-2012-2131)
|
||||||
|
[Tomas Hoger <thoger@redhat.com>]
|
||||||
|
|
||||||
Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
|
Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
|
||||||
|
|
||||||
|
|||||||
@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
|
|||||||
char *ret;
|
char *ret;
|
||||||
unsigned int n;
|
unsigned int n;
|
||||||
|
|
||||||
|
if (len < 0)
|
||||||
|
{
|
||||||
|
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
if (str->length >= len)
|
if (str->length >= len)
|
||||||
{
|
{
|
||||||
str->length=len;
|
str->length=len;
|
||||||
@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
|
|||||||
char *ret;
|
char *ret;
|
||||||
unsigned int n;
|
unsigned int n;
|
||||||
|
|
||||||
|
if (len < 0)
|
||||||
|
{
|
||||||
|
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
if (str->length >= len)
|
if (str->length >= len)
|
||||||
{
|
{
|
||||||
memset(&str->data[len],0,str->length-len);
|
memset(&str->data[len],0,str->length-len);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user