Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist/ssl Fix crash in openssl (I...
details: https://anonhg.NetBSD.org/src/rev/86959cf50713
branches: trunk
changeset: 753748:86959cf50713
user: bouyer <bouyer%NetBSD.org@localhost>
date: Fri Apr 09 04:34:13 2010 +0000
description:
Fix crash in openssl (I suspect caused by malformed packets):
handshake_dgst[] may be used without being allocated, causing NULL
pointer dereference.
Fix by checking that handshake_dgst is not NULL before use.
Reported to openssl as ticket openssl.org #2214.
Fix tested on netbsd-5 by Luke Mewburn with apache, and by me with
freeradius (fixing segmentation fault in both cases).
diffstat:
crypto/external/bsd/openssl/dist/ssl/s3_enc.c | 2 +-
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c | 28 +++++++++++++------------
crypto/external/bsd/openssl/dist/ssl/t1_enc.c | 18 +++++++++-------
3 files changed, 26 insertions(+), 22 deletions(-)
diffs (87 lines):
diff -r d987126b15ba -r 86959cf50713 crypto/external/bsd/openssl/dist/ssl/s3_enc.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_enc.c Thu Apr 08 18:31:53 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_enc.c Fri Apr 09 04:34:13 2010 +0000
@@ -578,7 +578,7 @@
{
BIO_write (s->s3->handshake_buffer,(void *)buf,len);
}
- else
+ else if (s->s3->handshake_dgst != NULL)
{
int i;
for (i=0;i< SSL_MAX_DIGEST;i++)
diff -r d987126b15ba -r 86959cf50713 crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
--- a/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Thu Apr 08 18:31:53 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Fri Apr 09 04:34:13 2010 +0000
@@ -537,20 +537,22 @@
if (s->s3->handshake_buffer)
if (!ssl3_digest_cached_records(s))
return -1;
- for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
- if (s->s3->handshake_dgst[dgst_num])
- {
- int dgst_size;
+ if (s->s3->handshake_dgst != NULL) {
+ for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
+ if (s->s3->handshake_dgst[dgst_num])
+ {
+ int dgst_size;
- s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
- dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
- if (dgst_size < 0)
- {
- ret = -1;
- goto end;
- }
- offset+=dgst_size;
- }
+ s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
+ dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
+ if (dgst_size < 0)
+ {
+ ret = -1;
+ goto end;
+ }
+ offset+=dgst_size;
+ }
+ }
}
break;
diff -r d987126b15ba -r 86959cf50713 crypto/external/bsd/openssl/dist/ssl/t1_enc.c
--- a/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Thu Apr 08 18:31:53 2010 +0000
+++ b/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Fri Apr 09 04:34:13 2010 +0000
@@ -788,14 +788,16 @@
if (!ssl3_digest_cached_records(s))
return 0;
- for (i=0;i<SSL_MAX_DIGEST;i++)
- {
- if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
- {
- d=s->s3->handshake_dgst[i];
- break;
+ if (s->s3->handshake_dgst) {
+ for (i=0;i<SSL_MAX_DIGEST;i++)
+ {
+ if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
+ {
+ d=s->s3->handshake_dgst[i];
+ break;
+ }
}
- }
+ }
if (!d) {
SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
return 0;
@@ -833,7 +835,7 @@
if (mask & s->s3->tmp.new_cipher->algorithm2)
{
int hashsize = EVP_MD_size(md);
- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
+ if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)) || s->s3->handshake_dgst == NULL)
{
/* internal error: 'buf' is too small for this cipersuite! */
err = 1;
Home |
Main Index |
Thread Index |
Old Index