From 6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5 Mon Sep 17 00:00:00 2001 From: miod Date: Thu, 17 Jul 2014 11:32:21 +0000 Subject: [PATCH] Missing bounds check in ssl3_get_certificate_request(), was not spotted in 1.78; reported by Ilja Van Sprundel. --- lib/libssl/s3_clnt.c | 7 ++++++- lib/libssl/src/ssl/s3_clnt.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index b55b2e62c6a..8dbeb5ce800 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.84 2014/07/17 11:32:21 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1678,6 +1678,11 @@ ssl3_get_certificate_request(SSL *s) } for (nc = 0; nc < llen; ) { + if (p + 2 - d > n) { + SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } n2s(p, l); if ((l + nc + 2) > llen) { if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index b55b2e62c6a..8dbeb5ce800 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.84 2014/07/17 11:32:21 miod Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1678,6 +1678,11 @@ ssl3_get_certificate_request(SSL *s) } for (nc = 0; nc < llen; ) { + if (p + 2 - d > n) { + SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } n2s(p, l); if ((l + nc + 2) > llen) { if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) -- 2.20.1