Fix possible buffer overrun. (22a10c89) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssl_locl.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -1284,8 +1284,8 @@ int tls1_shared_list(SSL *s,
		const unsigned char *l1, size_t l1len,
		const unsigned char *l2, size_t l2len,
		int nmatch);
		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char limit, int *al);
		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char limit, int *al);
		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char buf, unsigned char limit, int *al);
		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char buf, unsigned char limit, int *al);
		int ssl_parse_clienthello_tlsext(SSL s, unsigned char data, unsigned char d, int n);
		int ssl_check_clienthello_tlsext_late(SSL *s);
		int ssl_parse_serverhello_tlsext(SSL s, unsigned char data, unsigned char d, int n);

ssl/t1_lib.c

+18 −16

Original line number	Diff line number	Diff line
		@@ -1106,10 +1106,11 @@ static int tls_use_ticket(SSL *s)
		return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
		}

		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char limit, int *al)
		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char buf, unsigned char limit, int *al)
		{
		int extdatalen=0;
		unsigned char *ret = p;
		unsigned char *orig = buf;
		unsigned char *ret = buf;
		#ifndef OPENSSL_NO_EC
		/* See if we support any ECC ciphersuites */
		int using_ecc = 0;
		@@ -1138,7 +1139,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha
		/* don't add extensions for SSLv3 unless doing secure renegotiation */
		if (s->client_version == SSL3_VERSION
		&& !s->s3->send_connection_binding)
		return p;
		return orig;

		ret+=2;

		@@ -1187,7 +1188,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha
		return NULL;
		}

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_renegotiate,ret);
		s2n(el,ret);
		@@ -1460,7 +1461,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha

		ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_use_srtp,ret);
		s2n(el,ret);
		@@ -1541,17 +1542,18 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha
		}
		}

		if ((extdatalen = ret-p-2) == 0)
		return p;
		if ((extdatalen = ret-orig-2)== 0)
		return orig;

		s2n(extdatalen,p);
		s2n(extdatalen, orig);
		return ret;
		}

		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char limit, int *al)
		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char buf, unsigned char limit, int *al)
		{
		int extdatalen=0;
		unsigned char *ret = p;
		unsigned char *orig = buf;
		unsigned char *ret = buf;
		size_t i;
		custom_srv_ext_record *record;
		#ifndef OPENSSL_NO_NEXTPROTONEG
		@@ -1565,7 +1567,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha
		#endif
		/* don't add extensions for SSLv3, unless doing secure renegotiation */
		if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
		return p;
		return orig;

		ret+=2;
		if (ret>=limit) return NULL; /* this really never occurs, but ... */
		@@ -1588,7 +1590,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha
		return NULL;
		}

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_renegotiate,ret);
		s2n(el,ret);
		@@ -1668,7 +1670,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha

		ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_use_srtp,ret);
		s2n(el,ret);
		@@ -1794,10 +1796,10 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha
		ret += len;
		}

		if ((extdatalen = ret-p-2)== 0)
		return p;
		if ((extdatalen = ret-orig-2)== 0)
		return orig;

		s2n(extdatalen,p);
		s2n(extdatalen, orig);
		return ret;
		}