openssl - Mirror of https://github.com/openssl/openssl

diff options

author	Peter Kaestle <peter.kaestle@nokia.com>	2021-03-15 13:19:56 +0100
committer	Matt Caswell <matt@openssl.org>	2021-03-25 09:43:33 +0000
commit	fb9fa6b51defd48157eeb207f52181f735d96148 (patch)
tree	b368186caf503654d25ccfcae34f46893f360a89 /NEWS
parent	3ff38629a2df6635f36bfb79513cc6440db8cd70 (diff)

ssl sigalg extension: fix NULL pointer dereference

As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34e61 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle <peter.kaestle@nokia.com> Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>

Diffstat (limited to 'NEWS')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: