Reject elliptic curve lists of odd lengths.

The Supported Elliptic Curves extension contains a vector of NamedCurves of 2 bytes each, so the total length must be even. Accepting odd-length lists was observed to lead to a non-exploitable one-byte out-of-bounds read in the latest development branches (1.0.2 and master). Released versions of OpenSSL are not affected. Thanks to Felix Groebert of the Google Security Team for reporting this issue. Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 33d5ba862939ff8db70a9e36fc9a326fab3e8d98)
author: Emilia Kasper <emilia@openssl.org> 2014-12-01 15:04:02 +0100
committer: Emilia Kasper <emilia@openssl.org> 2014-12-05 16:44:12 +0100
commit: f6e725e86816fa9301d87c25e3dff9de2ebb7176 (patch)
tree: 9c766796a08ff926647a3c47d6eca523aff734f9 /ssl/t1_lib.c
parent: 7005eda3b6e4858233ec3d2a95ff3f5f28f8a484 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d02ae19d58..3ef5bed1fb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2171,7 +2171,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			ellipticcurvelist_length += (*(sdata++));
 
 			if (ellipticcurvelist_length != size - 2 ||
-				ellipticcurvelist_length < 1)
+				ellipticcurvelist_length < 1 ||
+				/* Each NamedCurve is 2 bytes. */
+				ellipticcurvelist_length & 1)
 				{
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
author	Emilia Kasper <emilia@openssl.org>	2014-12-01 15:04:02 +0100
committer	Emilia Kasper <emilia@openssl.org>	2014-12-05 16:44:12 +0100
commit	f6e725e86816fa9301d87c25e3dff9de2ebb7176 (patch)
tree	9c766796a08ff926647a3c47d6eca523aff734f9 /ssl/t1_lib.c
parent	7005eda3b6e4858233ec3d2a95ff3f5f28f8a484 (diff)