[openssl-commits] [openssl] OpenSSL_0_9_8-stable update
Matt Caswell
matt at openssl.org
Tue Apr 14 14:02:53 UTC 2015
The branch OpenSSL_0_9_8-stable has been updated
via 5d28381ae44725254e92bab9797593c6d3fa1e86 (commit)
from eeda966123e96e890ad56bfcaaec82d07b36e26a (commit)
- Log -----------------------------------------------------------------
commit 5d28381ae44725254e92bab9797593c6d3fa1e86
Author: Matt Caswell <matt at openssl.org>
Date: Fri Apr 10 16:49:33 2015 +0100
Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.
This is probably made redundant by the previous commit - but you can never be
too careful.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad)
Conflicts:
ssl/ssl_sess.c
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_sess.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 9c797e3..fc31296 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -310,6 +310,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
goto err;
+
+ if (session_id + len > limit) {
+ fatal = 1;
+ goto err;
+ }
+
#ifndef OPENSSL_NO_TLSEXT
r = tls1_process_ticket(s, session_id, len, limit, &ret);
if (r == -1) {
More information about the openssl-commits
mailing list