[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
Dr. Stephen Henson
steve at openssl.org
Wed Sep 21 13:23:28 UTC 2016
The branch OpenSSL_1_0_1-stable has been updated
via 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 (commit)
from 515a0105652a1b84d712b4d162cf859c02bf5450 (commit)
- Log -----------------------------------------------------------------
commit 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sat Sep 17 12:36:58 2016 +0100
Fix small OOB reads.
In ssl3_get_client_certificate, ssl3_get_server_certificate and
ssl3_get_certificate_request check we have enough room
before reading a length.
Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
CVE-2016-6306
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_clnt.c | 11 +++++++++++
ssl/s3_srvr.c | 6 ++++++
2 files changed, 17 insertions(+)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 9e5875f..40ca13d 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1143,6 +1143,12 @@ int ssl3_get_server_certificate(SSL *s)
goto f_err;
}
for (nc = 0; nc < llen;) {
+ if (nc + 3 > llen) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+ SSL_R_CERT_LENGTH_MISMATCH);
+ goto f_err;
+ }
n2l3(p, l);
if ((l + nc + 3) > llen) {
al = SSL_AD_DECODE_ERROR;
@@ -2072,6 +2078,11 @@ int ssl3_get_certificate_request(SSL *s)
}
for (nc = 0; nc < llen;) {
+ if (nc + 2 > llen) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
+ goto err;
+ }
n2s(p, l);
if ((l + nc + 2) > llen) {
if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 591b13e..4f1a2e9 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3234,6 +3234,12 @@ int ssl3_get_client_certificate(SSL *s)
goto f_err;
}
for (nc = 0; nc < llen;) {
+ if (nc + 3 > llen) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
+ SSL_R_CERT_LENGTH_MISMATCH);
+ goto f_err;
+ }
n2l3(p, l);
if ((l + nc + 3) > llen) {
al = SSL_AD_DECODE_ERROR;
More information about the openssl-commits
mailing list