[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Rich Salz
rsalz at openssl.org
Thu Feb 22 18:56:56 UTC 2018
The branch OpenSSL_1_0_2-stable has been updated
via 99bb59d9d7fbcf73c8ed1e5b3e9cb7e3b0225521 (commit)
from a25e2d49a75eb01dcdad41a5bec05666d461b2d6 (commit)
- Log -----------------------------------------------------------------
commit 99bb59d9d7fbcf73c8ed1e5b3e9cb7e3b0225521
Author: Philippe Antoine <p.antoine at catenacyber.fr>
Date: Thu Feb 22 13:56:40 2018 -0500
Checks ec_points_format extension size
Before reading first byte as length
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5410)
-----------------------------------------------------------------------
Summary of changes:
ssl/t1_lib.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a186623..3c5b6ad 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2284,8 +2284,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
# ifndef OPENSSL_NO_EC
else if (type == TLSEXT_TYPE_ec_point_formats) {
unsigned char *sdata = data;
- int ecpointformatlist_length = *(sdata++);
+ int ecpointformatlist_length;
+ if (size == 0) {
+ goto err;
+ }
+
+ ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1 ||
ecpointformatlist_length < 1)
goto err;
@@ -2711,8 +2716,14 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
# ifndef OPENSSL_NO_EC
else if (type == TLSEXT_TYPE_ec_point_formats) {
unsigned char *sdata = data;
- int ecpointformatlist_length = *(sdata++);
+ int ecpointformatlist_length;
+
+ if (size == 0) {
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+ ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1) {
*al = TLS1_AD_DECODE_ERROR;
return 0;
More information about the openssl-commits
mailing list