Commit 006a788c authored Sep 21, 2016 by Dr. Stephen Henson

Make message buffer slightly larger than message.



Grow TLS/DTLS 16 bytes more than strictly necessary as a precaution against
OOB reads. In most cases this will have no effect because the message buffer
will be large enough already.

Reviewed-by: Matt Caswell <matt@openssl.org>

parent bc9563f8

ssl/d1_both.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -581,9 +581,12 @@ static int dtls1_preprocess_fragment(SSL s, struct hm_header_st msg_hdr,
		/*
		* msg_len is limited to 2^24, but is effectively checked against max
		* above
		*
		* Make buffer slightly larger than message length as a precaution
		* against small OOB reads e.g. CVE-2016-6306
		*/
		if (!BUF_MEM_grow_clean
		(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
		(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
		SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
		return SSL_AD_INTERNAL_ERROR;
		}

ssl/s3_both.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -417,9 +417,13 @@ long ssl3_get_message(SSL s, int st1, int stn, int mt, long max, int ok)
		SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
		goto f_err;
		}
		/*
		* Make buffer slightly larger than message length as a precaution
		* against small OOB reads e.g. CVE-2016-6306
		*/
		if (l
		&& !BUF_MEM_grow_clean(s->init_buf,
		(int)l + SSL3_HM_HEADER_LENGTH)) {
		(int)l + SSL3_HM_HEADER_LENGTH + 16)) {
		SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
		goto err;
		}