Process signature algorithms during TLS v1.2 client authentication.

Make sure message is long enough for signature algorithms.

(backport from HEAD).

1 files changed, 19 insertions, 9 deletions

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b8e2b89df4..75f0a8e052 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1775,7 +1775,7 @@ int ssl3_get_certificate_request(SSL *s)
 	{
 	int ok,ret=0;
 	unsigned long n,nc,l;
-	unsigned int llen,sigalglen, ctype_num,i;
+	unsigned int llen, ctype_num,i;
 	X509_NAME *xn=NULL;
 	const unsigned char *p,*q;
 	unsigned char *d;
@@ -1834,14 +1834,24 @@ int ssl3_get_certificate_request(SSL *s)
 	/* HACK! For now just skip over signatature algorithms */
 	if (s->version >= TLS1_2_VERSION)
 		{
-		n2s(p, sigalglen);
-		p += sigalglen;
-		sigalglen += 2;
+		n2s(p, llen);
+		/* Check we have enough room for signature algorithms and
+		 * following length value.
+		 */
+		if ((unsigned long)(p - d + llen + 2) > n)
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
+			goto err;
+			}
+		if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
+			goto err;
+			}
+		p += llen;
 		}
-	else
-		sigalglen = 0;
-		
-		
 
 	/* get the CA RDNs */
 	n2s(p,llen);
@@ -1854,7 +1864,7 @@ fclose(out);
 }
 #endif
 
-	if ((llen+ctype_num+sigalglen+2+1) != n)
+	if ((unsigned long)(p - d + llen) != n)
 		{
 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
 		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);