diff options
author | Matt Caswell <matt@openssl.org> | 2018-06-18 11:30:21 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-06-21 11:07:45 +0100 |
commit | 27232cc3385260311e7fd2f6cd78db967cae650d (patch) | |
tree | c12f2414e34c02a2b8fe8853b7fdb318943bbe3e /ssl/ssl_sess.c | |
parent | 4f1b96f9fcd2545b42186832ce2354d005ebe468 (diff) |
Don't use OPENSSL_strdup() for copying alpn_selected
An alpn_selected value containing NUL bytes in it will result in
ext.alpn_selected_len having a larger value than the number of bytes
allocated in ext.alpn_selected.
Issue found by OSS-fuzz.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6507)
Diffstat (limited to 'ssl/ssl_sess.c')
-rw-r--r-- | ssl/ssl_sess.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 0723765366..fde4187d9c 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -220,13 +220,11 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->ext.ticklen = 0; } - if (src->ext.alpn_selected) { - dest->ext.alpn_selected = - (unsigned char*)OPENSSL_strndup((char*)src->ext.alpn_selected, - src->ext.alpn_selected_len); - if (dest->ext.alpn_selected == NULL) { + if (src->ext.alpn_selected != NULL) { + dest->ext.alpn_selected = OPENSSL_memdup(src->ext.alpn_selected, + src->ext.alpn_selected_len); + if (dest->ext.alpn_selected == NULL) goto err; - } } #ifndef OPENSSL_NO_SRP |