reject zero length point format list or supported curves extensions

author: Dr. Stephen Henson <steve@openssl.org> 2012-11-22 14:15:44 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-11-22 14:15:44 +0000
commit: e83aefb3a0c645c77849f889bc166935b2cc935c (patch)
tree: 5d23255b1ccf9be213d6027bba756905fbcf0e88
parent: 1740c9fbfc6f94eb550fad1855466437120bd3ba (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c53eadfe30..fd13a317c1 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1853,7 +1853,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			unsigned char *sdata = data;
 			int ecpointformatlist_length = *(sdata++);
 
-			if (ecpointformatlist_length != size - 1)
+			if (ecpointformatlist_length != size - 1 || 
+				ecpointformatlist_length < 1)
 				{
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
@@ -1889,7 +1890,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			int ellipticcurvelist_length = (*(sdata++) << 8);
 			ellipticcurvelist_length += (*(sdata++));
 
-			if (ellipticcurvelist_length != size - 2)
+			if (ellipticcurvelist_length != size - 2 ||
+				ellipticcurvelist_length < 1)
 				{
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
author	Dr. Stephen Henson <steve@openssl.org>	2012-11-22 14:15:44 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-11-22 14:15:44 +0000
commit	e83aefb3a0c645c77849f889bc166935b2cc935c (patch)
tree	5d23255b1ccf9be213d6027bba756905fbcf0e88
parent	1740c9fbfc6f94eb550fad1855466437120bd3ba (diff)