diff options
author | Alessandro Ghedini <alessandro@ghedini.me> | 2016-01-13 12:49:24 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-01-19 15:42:23 +0000 |
commit | 51223748e5527db0e08049925bc2e9f430154d97 (patch) | |
tree | 36fc94f04d980534b4d6059f1b8bd6a418317878 | |
parent | 4c33d583f5f691d354b58ca27d5e2108cd890a9c (diff) |
Validate ClientHello session_id field length and send alert on failure
RT#4080
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
-rw-r--r-- | ssl/s2_srvr.c | 5 | ||||
-rw-r--r-- | ssl/s3_srvr.c | 6 | ||||
-rw-r--r-- | ssl/ssl_sess.c | 3 |
3 files changed, 11 insertions, 3 deletions
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 4289272b73..5e2e0acc35 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -598,6 +598,11 @@ static int get_client_hello(SSL *s) s->s2->tmp.cipher_spec_length = i; n2s(p, i); s->s2->tmp.session_id_length = i; + if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + return -1; + } n2s(p, i); s->s2->challenge_length = i; if ((i < SSL2_MIN_CHALLENGE_LENGTH) || diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 4626a09635..7eb7ea681e 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1064,6 +1064,12 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } + if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index de4c59e21f..48fc4511f1 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -602,9 +602,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, int r; #endif - if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) - goto err; - if (session_id + len > limit) { fatal = 1; goto err; |