Fix length check writing status request extension

The status request extension did not correctly check its length, meaning that writing the extension could go 2 bytes beyond the buffer size. In practice this makes little difference because, due to logic in buffer.c the buffer is actually over allocated by approximately 5k! Issue reported by Guido Vranken. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-10-14 11:49:06 +0100
committer: Matt Caswell <matt@openssl.org> 2016-10-28 09:43:41 +0100
commit: 83a1d4b2011ff3a7798250902bdacbca6e1766c0 (patch)
tree: 24740cde1c7a47251f1cf9ae9145735425b71533 /ssl
parent: 57aa2f154e3e0f427be59497f58092dd3ec0528a (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7831046b92..e53c76e0b3 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1479,7 +1479,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
         } else
             extlen = 0;
 
-        if ((long)(limit - ret - 7 - extlen - idlen) < 0)
+        /*
+         * 2 bytes for status request type
+         * 2 bytes for status request len
+         * 1 byte for OCSP request type
+         * 2 bytes for length of ids
+         * 2 bytes for length of extensions
+         */
+        if ((long)(limit - ret - 9 - extlen - idlen) < 0)
             return NULL;
         s2n(TLSEXT_TYPE_status_request, ret);
         if (extlen + idlen > 0xFFF0)
author	Matt Caswell <matt@openssl.org>	2016-10-14 11:49:06 +0100
committer	Matt Caswell <matt@openssl.org>	2016-10-28 09:43:41 +0100
commit	83a1d4b2011ff3a7798250902bdacbca6e1766c0 (patch)
tree	24740cde1c7a47251f1cf9ae9145735425b71533 /ssl
parent	57aa2f154e3e0f427be59497f58092dd3ec0528a (diff)