[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Tue Apr 14 14:03:23 UTC 2015


The branch OpenSSL_1_0_2-stable has been updated
       via  5101c35c9173e40051acb23e45aae128fb84806e (commit)
      from  35bac9167644d167aee57c26df206ed5f2b2a877 (commit)


- Log -----------------------------------------------------------------
commit 5101c35c9173e40051acb23e45aae128fb84806e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Apr 10 16:49:33 2015 +0100

    Fix ssl_get_prev_session overrun
    
    If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
    past the end of the ClientHello message if the session_id length in the
    ClientHello is invalid. This should not cause any security issues since the
    underlying buffer is 16k in size. It should never be possible to overrun by
    that many bytes.
    
    This is probably made redundant by the previous commit - but you can never be
    too careful.
    
    With thanks to Qinghao Tang for reporting this issue.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_sess.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 1e1002f..dce9088 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -452,6 +452,11 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
     if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
         goto err;
 
+    if (session_id + len > limit) {
+        fatal = 1;
+        goto err;
+    }
+
     if (len == 0)
         try_session_cache = 0;
 


More information about the openssl-commits mailing list