[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Mon Nov 7 15:31:05 UTC 2016
The branch OpenSSL_1_1_0-stable has been updated
via 992b3740a1f7b24771ccf29a52b0141c51b95933 (commit)
from 51d8e5ea866a7d606e4f2aa5e45c2f7df2270ace (commit)
- Log -----------------------------------------------------------------
commit 992b3740a1f7b24771ccf29a52b0141c51b95933
Author: Matt Caswell <matt at openssl.org>
Date: Thu Nov 3 13:21:28 2016 +0000
Always ensure that init_msg is initialised for a CCS
We read it later in grow_init_buf(). If CCS is the first thing received in
a flight, then it will use the init_msg from the last flight we received. If
the init_buf has been grown in the meantime then it will point to some
arbitrary other memory location. This is likely to result in grow_init_buf()
attempting to grow to some excessively large amount which is likely to
fail. In practice this should never happen because the only time we receive
a CCS as the first thing in a flight is in an abbreviated handshake. None
of the preceding messages from the server flight would be large enough to
trigger this.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit c437757466e7bef632b26eaaf429a9e693330999)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem_lib.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 31a84e4..637c610 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -370,6 +370,7 @@ int tls_get_message_header(SSL *s, int *mt)
}
s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
s->init_num = i - 1;
+ s->init_msg = s->init_buf->data;
s->s3->tmp.message_size = i;
return 1;
} else if (recvd_type != SSL3_RT_HANDSHAKE) {
More information about the openssl-commits
mailing list