diff options
author | Gabor Tyukasz <Gabor.Tyukasz@logmein.com> | 2014-07-23 23:42:06 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-08-06 20:36:41 +0100 |
commit | fb0bc2b273bcc2d5401dd883fe869af4fc74bb21 (patch) | |
tree | 39c4e2883d327fd14d8b2362a4166631f13f0bd3 /ssl | |
parent | 0042fb5fd1c9d257d713b15a1f45da05cf5c1c87 (diff) |
Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/t1_lib.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 4374d6aadd..749d88d1a9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2647,15 +2647,18 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + s->session->tlsext_ecpointformatlist_length = 0; + if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist; |