diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-09-17 12:36:58 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-09-21 14:14:36 +0100 |
commit | 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 (patch) | |
tree | 677d04bd6f5b394b39205825a4055f2a931d1020 | |
parent | 515a0105652a1b84d712b4d162cf859c02bf5450 (diff) |
Fix small OOB reads.
In ssl3_get_client_certificate, ssl3_get_server_certificate and
ssl3_get_certificate_request check we have enough room
before reading a length.
Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
CVE-2016-6306
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)
-rw-r--r-- | ssl/s3_clnt.c | 11 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 6 |
2 files changed, 17 insertions, 0 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 9e5875f1f9..40ca13da24 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1143,6 +1143,12 @@ int ssl3_get_server_certificate(SSL *s) goto f_err; } for (nc = 0; nc < llen;) { + if (nc + 3 > llen) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto f_err; + } n2l3(p, l); if ((l + nc + 3) > llen) { al = SSL_AD_DECODE_ERROR; @@ -2072,6 +2078,11 @@ int ssl3_get_certificate_request(SSL *s) } for (nc = 0; nc < llen;) { + if (nc + 2 > llen) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); + SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG); + goto err; + } n2s(p, l); if ((l + nc + 2) > llen) { if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 591b13ecea..4f1a2e9aba 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -3234,6 +3234,12 @@ int ssl3_get_client_certificate(SSL *s) goto f_err; } for (nc = 0; nc < llen;) { + if (nc + 3 > llen) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, + SSL_R_CERT_LENGTH_MISMATCH); + goto f_err; + } n2l3(p, l); if ((l + nc + 3) > llen) { al = SSL_AD_DECODE_ERROR; |