diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-03-03 13:20:57 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-03-19 12:58:35 +0000 |
commit | 76343947ada960b6269090638f5391068daee88d (patch) | |
tree | 020aa94395f96caa9efa308238ef175033477234 | |
parent | 4b22cce3812052fe64fc3f6d58d8cc884e3cb834 (diff) |
Fix for CVE-2015-0291
If a client renegotiates using an invalid signature algorithms extension
it will crash a server with a NULL pointer dereference.
Thanks to David Ramos of Stanford University for reporting this bug.
CVE-2015-0291
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
ssl/t1_lib.c
-rw-r--r-- | ssl/t1_lib.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 6e991e0938..d85d26e596 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2967,6 +2967,7 @@ int tls1_set_server_sigalgs(SSL *s) if (s->cert->shared_sigalgs) { OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; + s->cert->shared_sigalgslen = 0; } /* Clear certificate digests and validity flags */ for (i = 0; i < SSL_PKEY_NUM; i++) { @@ -3620,6 +3621,7 @@ static int tls1_set_shared_sigalgs(SSL *s) if (c->shared_sigalgs) { OPENSSL_free(c->shared_sigalgs); c->shared_sigalgs = NULL; + c->shared_sigalgslen = 0; } /* If client use client signature algorithms if not NULL */ if (!s->server && c->client_sigalgs && !is_suiteb) { @@ -3642,12 +3644,14 @@ static int tls1_set_shared_sigalgs(SSL *s) preflen = c->peer_sigalgslen; } nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen); - if (!nmatch) - return 1; - salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); - if (!salgs) - return 0; - nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); + if (nmatch) { + salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS)); + if (!salgs) + return 0; + nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen); + } else { + salgs = NULL; + } c->shared_sigalgs = salgs; c->shared_sigalgslen = nmatch; return 1; |