Assorted bugfixes:
- RLE decompression boundary case - SSL 2.0 key arg length check Submitted by: Google (Neel Mehta, Bodo Moeller)
This commit is contained in:
Bodo Möller
@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
|
|||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (olen < (ilen-1))
|
if (ilen == 0 || olen < (ilen-1))
|
||||||
{
|
{
|
||||||
/* ZZZZZZZZZZZZZZZZZZZZZZ */
|
/* ZZZZZZZZZZZZZZZZZZZZZZ */
|
||||||
return(-1);
|
return(-1);
|
||||||
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
|
|||||||
}
|
}
|
||||||
return(ilen-1);
|
return(ilen-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s)
|
|||||||
p+=3;
|
p+=3;
|
||||||
n2s(p,i); s->s2->tmp.clear=i;
|
n2s(p,i); s->s2->tmp.clear=i;
|
||||||
n2s(p,i); s->s2->tmp.enc=i;
|
n2s(p,i); s->s2->tmp.enc=i;
|
||||||
n2s(p,i); s->session->key_arg_length=i;
|
n2s(p,i);
|
||||||
if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
|
if(i > SSL_MAX_KEY_ARG_LENGTH)
|
||||||
{
|
{
|
||||||
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
|
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
|
||||||
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
|
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
s->session->key_arg_length=i;
|
||||||
s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
|
s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user