From d33c2a3d8453a75509bcc8d2cf7d2dc2a3a518d0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 18 Mar 2021 16:52:10 +0000 Subject: Ensure buffer/length pairs are always in sync Following on from CVE-2021-3449 which was caused by a non-zero length associated with a NULL buffer, other buffer/length pairs are updated to ensure that they too are always in sync. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale --- ssl/ssl_lib.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'ssl/ssl_lib.c') diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 98057921f8..fd1acf1a32 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -779,8 +779,10 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ecpointformats = OPENSSL_memdup(ctx->ext.ecpointformats, ctx->ext.ecpointformats_len); - if (!s->ext.ecpointformats) + if (!s->ext.ecpointformats) { + s->ext.ecpointformats_len = 0; goto err; + } s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } @@ -789,8 +791,10 @@ SSL *SSL_new(SSL_CTX *ctx) OPENSSL_memdup(ctx->ext.supportedgroups, ctx->ext.supportedgroups_len * sizeof(*ctx->ext.supportedgroups)); - if (!s->ext.supportedgroups) + if (!s->ext.supportedgroups) { + s->ext.supportedgroups_len = 0; goto err; + } s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } #endif @@ -800,8 +804,10 @@ SSL *SSL_new(SSL_CTX *ctx) if (s->ctx->ext.alpn) { s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); - if (s->ext.alpn == NULL) + if (s->ext.alpn == NULL) { + s->ext.alpn_len = 0; goto err; + } memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); s->ext.alpn_len = s->ctx->ext.alpn_len; } @@ -2834,6 +2840,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, OPENSSL_free(ctx->ext.alpn); ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); if (ctx->ext.alpn == NULL) { + ctx->ext.alpn_len = 0; SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } @@ -2853,6 +2860,7 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, OPENSSL_free(ssl->ext.alpn); ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); if (ssl->ext.alpn == NULL) { + ssl->ext.alpn_len = 0; SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE); return 1; } -- cgit v1.2.3