summaryrefslogtreecommitdiffstats
path: root/ssl/s2_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl/s2_srvr.c')
-rw-r--r--ssl/s2_srvr.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index af58b25071..96149518ad 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -116,6 +116,7 @@
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
+#include "cryptlib.h"
static SSL_METHOD *ssl2_get_server_method(int ver);
static int get_client_master_key(SSL *s);
@@ -417,11 +418,18 @@ static int get_client_master_key(SSL *s)
n2s(p,i); s->s2->tmp.clear=i;
n2s(p,i); s->s2->tmp.enc=i;
n2s(p,i); s->session->key_arg_length=i;
+ if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+ {
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
+ SSL_R_KEY_ARG_TOO_LONG);
+ return -1;
+ }
s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
}
/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
p=(unsigned char *)s->init_buf->data;
+ die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
keya=s->session->key_arg_length;
len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
@@ -502,6 +510,7 @@ static int get_client_master_key(SSL *s)
#endif
if (is_export) i+=s->s2->tmp.clear;
+ die(i <= SSL_MAX_MASTER_KEY_LENGTH);
s->session->master_key_length=i;
memcpy(s->session->master_key,p,(unsigned int)i);
return(1);
@@ -649,6 +658,7 @@ static int get_client_hello(SSL *s)
p+=s->s2->tmp.session_id_length;
/* challenge */
+ die(s->s2->challenge_length <= sizeof s->s2->challenge);
memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
return(1);
mem_err:
@@ -800,6 +810,7 @@ static int get_client_finished(SSL *s)
}
/* SSL2_ST_GET_CLIENT_FINISHED_B */
+ die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
len = 1 + (unsigned long)s->s2->conn_id_length;
n = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
@@ -825,6 +836,7 @@ static int server_verify(SSL *s)
{
p=(unsigned char *)s->init_buf->data;
*(p++)=SSL2_MT_SERVER_VERIFY;
+ die(s->s2->challenge_length <= sizeof s->s2->challenge);
memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
/* p+=s->s2->challenge_length; */
@@ -844,6 +856,8 @@ static int server_finish(SSL *s)
p=(unsigned char *)s->init_buf->data;
*(p++)=SSL2_MT_SERVER_FINISHED;
+ die(s->session->session_id_length
+ <= sizeof s->session->session_id);
memcpy(p,s->session->session_id,
(unsigned int)s->session->session_id_length);
/* p+=s->session->session_id_length; */
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-27 14:37:03 +0000