Commit fb0bc2b2 authored by Gabor Tyukasz's avatar Gabor Tyukasz Committed by Matt Caswell
Browse files

Fix race condition in ssl_parse_serverhello_tlsext 



CVE-2014-3509
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
Reviewed-by: default avatarDr. Stephen Henson <steve@openssl.org>
parent 0042fb5f

ssl/t1_lib.c

+10 −7
Original line number Diff line number Diff line
@@ -2647,6 +2647,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char 
				*al = TLS1_AD_DECODE_ERROR;

				return 0;

				}

			if (!s->hit)

				{

				s->session->tlsext_ecpointformatlist_length = 0;

				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);

				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
@@ -2656,6 +2658,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char 
					}

				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

				}

#if 0

			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");

			sdata = s->session->tlsext_ecpointformatlist;