diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-04-23 20:35:55 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-04-23 20:35:55 +0000 |
commit | 8d038a08fbd3eb4b2f0a5bf1987bb6689a2a943c (patch) | |
tree | 745dfab31f4f0795f57458a58452d705a935524a /crypto | |
parent | 747c6ffda45c00d0bf5ec0d375b68896c02ee770 (diff) |
The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.
Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/buffer/buffer.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c index 1f09cba061..3b4c79f704 100644 --- a/crypto/buffer/buffer.c +++ b/crypto/buffer/buffer.c @@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len) char *ret; unsigned int n; + if (len < 0) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } if (str->length >= len) { str->length=len; @@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len) char *ret; unsigned int n; + if (len < 0) + { + BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE); + return 0; + } if (str->length >= len) { memset(&str->data[len],0,str->length-len); |