Fix crash in openssl (I suspect caused by malformed packets):
handshake_dgst[] may be used without being allocated, causing NULL pointer dereference. Fix by checking that handshake_dgst is not NULL before use. Reported to openssl as ticket openssl.org #2214. Fix tested on netbsd-5 by Luke Mewburn with apache, and by me with freeradius (fixing segmentation fault in both cases).
This commit is contained in:
bouyer
parent
6a306d5969
commit
769c627b01
@ -578,7 +578,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
|
||||
{
|
||||
BIO_write (s->s3->handshake_buffer,(void *)buf,len);
|
||||
}
|
||||
else
|
||||
else if (s->s3->handshake_dgst != NULL)
|
||||
{
|
||||
int i;
|
||||
for (i=0;i< SSL_MAX_DIGEST;i++)
|
||||
|
||||
28
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
vendored
28
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
vendored
@ -537,20 +537,22 @@ int ssl3_accept(SSL *s)
|
||||
if (s->s3->handshake_buffer)
|
||||
if (!ssl3_digest_cached_records(s))
|
||||
return -1;
|
||||
for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
|
||||
if (s->s3->handshake_dgst[dgst_num])
|
||||
{
|
||||
int dgst_size;
|
||||
|
||||
s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
|
||||
dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
|
||||
if (dgst_size < 0)
|
||||
if (s->s3->handshake_dgst != NULL) {
|
||||
for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)
|
||||
if (s->s3->handshake_dgst[dgst_num])
|
||||
{
|
||||
ret = -1;
|
||||
goto end;
|
||||
}
|
||||
offset+=dgst_size;
|
||||
}
|
||||
int dgst_size;
|
||||
|
||||
s->method->ssl3_enc->cert_verify_mac(s,EVP_MD_CTX_type(s->s3->handshake_dgst[dgst_num]),&(s->s3->tmp.cert_verify_md[offset]));
|
||||
dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
|
||||
if (dgst_size < 0)
|
||||
{
|
||||
ret = -1;
|
||||
goto end;
|
||||
}
|
||||
offset+=dgst_size;
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
|
||||
|
||||
18
crypto/external/bsd/openssl/dist/ssl/t1_enc.c
vendored
18
crypto/external/bsd/openssl/dist/ssl/t1_enc.c
vendored
@ -788,14 +788,16 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
|
||||
if (!ssl3_digest_cached_records(s))
|
||||
return 0;
|
||||
|
||||
for (i=0;i<SSL_MAX_DIGEST;i++)
|
||||
{
|
||||
if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
|
||||
{
|
||||
d=s->s3->handshake_dgst[i];
|
||||
break;
|
||||
if (s->s3->handshake_dgst) {
|
||||
for (i=0;i<SSL_MAX_DIGEST;i++)
|
||||
{
|
||||
if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
|
||||
{
|
||||
d=s->s3->handshake_dgst[i];
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!d) {
|
||||
SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
|
||||
return 0;
|
||||
@ -833,7 +835,7 @@ int tls1_final_finish_mac(SSL *s,
|
||||
if (mask & s->s3->tmp.new_cipher->algorithm2)
|
||||
{
|
||||
int hashsize = EVP_MD_size(md);
|
||||
if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
|
||||
if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)) || s->s3->handshake_dgst == NULL)
|
||||
{
|
||||
/* internal error: 'buf' is too small for this cipersuite! */
|
||||
err = 1;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user