diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-05-10 15:10:15 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-05-10 15:10:15 +0000 |
| commit | d414a5a0f041af6ef460150b093049ff80921fbf (patch) | |
| tree | 3f038f776c764624347e4bffee2f712516cadb3b /ssl/t1_enc.c | |
| parent | 9eb4460e68ddbd7ba048349dadec5ae66a9d3756 (diff) | |
Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and
DTLS to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
Diffstat (limited to 'ssl/t1_enc.c')
| -rw-r--r-- | ssl/t1_enc.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 201ca9ad6d..f7bdeb3b9d 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -889,6 +889,8 @@ int tls1_enc(SSL *s, int send) if (s->version >= TLS1_1_VERSION && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { + if (bs > (int)rec->length) + return -1; rec->data += bs; /* skip the explicit IV */ rec->input += bs; rec->length -= bs; |