diff options
author | Gabor Tyukasz <Gabor.Tyukasz@logmein.com> | 2014-07-23 23:42:06 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-08-06 20:41:24 +0100 |
commit | 92aa73bcbfad44f9dd7997ae51537ac5d7dc201e (patch) | |
tree | 23685a8e5fd607130090edb194b7117d0b0049d6 /ssl/t1_lib.c | |
parent | c01618dd822cc724c05eeb52455874ad068ec6a5 (diff) |
Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'ssl/t1_lib.c')
-rw-r--r-- | ssl/t1_lib.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 319009df0f..9e5927f826 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2580,15 +2580,18 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + s->session->tlsext_ecpointformatlist_length = 0; + if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist; |