diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-09-21 13:26:01 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-09-21 20:01:32 +0100 |
commit | bb1a4866034255749ac578adb06a76335fc117b1 (patch) | |
tree | e1c4acdc5025feb8b059db4e484f6cf37b39b1e4 | |
parent | 8289755d54e4cf34d502c630613d1dba60e30830 (diff) |
Make message buffer slightly larger than message.
Grow TLS/DTLS 16 bytes more than strictly necessary as a precaution against
OOB reads. In most cases this will have no effect because the message buffer
will be large enough already.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 006a788c84e541c8920dd2ad85fb62b52185c519)
-rw-r--r-- | ssl/d1_both.c | 5 | ||||
-rw-r--r-- | ssl/s3_both.c | 6 |
2 files changed, 9 insertions, 2 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index ae292c4959..0cf1e49fd2 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -577,9 +577,12 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, /* * msg_len is limited to 2^24, but is effectively checked against max * above + * + * Make buffer slightly larger than message length as a precaution + * against small OOB reads e.g. CVE-2016-6306 */ if (!BUF_MEM_grow_clean - (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { + (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) { SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); return SSL_AD_INTERNAL_ERROR; } diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 08cc451155..d798d83cb7 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -499,9 +499,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE); goto f_err; } + /* + * Make buffer slightly larger than message length as a precaution + * against small OOB reads e.g. CVE-2016-6306 + */ if (l && !BUF_MEM_grow_clean(s->init_buf, - (int)l + SSL3_HM_HEADER_LENGTH)) { + (int)l + SSL3_HM_HEADER_LENGTH + 16)) { SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB); goto err; } |