From 8d038a08fbd3eb4b2f0a5bf1987bb6689a2a943c Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Mon, 23 Apr 2012 20:35:55 +0000
Subject: The fix for CVE-2012-2110 did not take into account that the 'len'
 argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8,
 making it still vulnerable. Fix by rejecting negative len parameter.

Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.
---
 crypto/buffer/buffer.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'crypto')

diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c
index 1f09cba061..3b4c79f704 100644
--- a/crypto/buffer/buffer.c
+++ b/crypto/buffer/buffer.c
@@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
 	char *ret;
 	unsigned int n;
 
+	if (len < 0)
+		{
+		BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
 	if (str->length >= len)
 		{
 		str->length=len;
@@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
 	char *ret;
 	unsigned int n;
 
+	if (len < 0)
+		{
+		BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
 	if (str->length >= len)
 		{
 		memset(&str->data[len],0,str->length-len);
-- 
cgit v1.2.3