[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Dr. Stephen Henson steve at openssl.org
Wed Sep 21 13:13:44 UTC 2016


The branch OpenSSL_1_0_2-stable has been updated
       via  ff553f837172ecb2b5c8eca257ec3c5619a4b299 (commit)
      from  d0cbaa2f3a36a3359ee979f0262f0ff514630509 (commit)


- Log -----------------------------------------------------------------
commit ff553f837172ecb2b5c8eca257ec3c5619a4b299
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Sat Sep 17 12:36:58 2016 +0100

    Fix small OOB reads.
    
    In ssl3_get_client_certificate, ssl3_get_server_certificate and
    ssl3_get_certificate_request check we have enough room
    before reading a length.
    
    Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
    
    CVE-2016-6306
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/s3_clnt.c | 11 +++++++++++
 ssl/s3_srvr.c |  6 ++++++
 2 files changed, 17 insertions(+)

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 36833f7..d2afaa5 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1216,6 +1216,12 @@ int ssl3_get_server_certificate(SSL *s)
         goto f_err;
     }
     for (nc = 0; nc < llen;) {
+        if (nc + 3 > llen) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                   SSL_R_CERT_LENGTH_MISMATCH);
+            goto f_err;
+        }
         n2l3(p, l);
         if ((l + nc + 3) > llen) {
             al = SSL_AD_DECODE_ERROR;
@@ -2171,6 +2177,11 @@ int ssl3_get_certificate_request(SSL *s)
     }
 
     for (nc = 0; nc < llen;) {
+        if (nc + 2 > llen) {
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
+            goto err;
+        }
         n2s(p, l);
         if ((l + nc + 2) > llen) {
             if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 7c19753..01ccd5d 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3220,6 +3220,12 @@ int ssl3_get_client_certificate(SSL *s)
         goto f_err;
     }
     for (nc = 0; nc < llen;) {
+        if (nc + 3 > llen) {
+            al = SSL_AD_DECODE_ERROR;
+            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+                   SSL_R_CERT_LENGTH_MISMATCH);
+            goto f_err;
+        }
         n2l3(p, l);
         if ((l + nc + 3) > llen) {
             al = SSL_AD_DECODE_ERROR;


More information about the openssl-commits mailing list