Fix possible buffer overrun. (2db3ea29) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssl_locl.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -1096,8 +1096,8 @@ int tls1_ec_nid2curve_id(int nid);
		#endif /* OPENSSL_NO_EC */

		#ifndef OPENSSL_NO_TLSEXT
		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char limit);
		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char limit);
		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char buf, unsigned char limit);
		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char buf, unsigned char limit);
		int ssl_parse_clienthello_tlsext(SSL s, unsigned char data, unsigned char d, int n, int *al);
		int ssl_parse_serverhello_tlsext(SSL s, unsigned char data, unsigned char d, int n, int *al);
		int ssl_prepare_clienthello_tlsext(SSL *s);

ssl/t1_lib.c

+18 −16

Original line number	Diff line number	Diff line
		@@ -352,15 +352,16 @@ int tls12_get_req_sig_algs(SSL s, unsigned char p)
		return (int)slen;
		}

		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char p, unsigned char limit)
		unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char buf, unsigned char limit)
		{
		int extdatalen=0;
		unsigned char *ret = p;
		unsigned char *orig = buf;
		unsigned char *ret = buf;

		/* don't add extensions for SSLv3 unless doing secure renegotiation */
		if (s->client_version == SSL3_VERSION
		&& !s->s3->send_connection_binding)
		return p;
		return orig;

		ret+=2;

		@@ -409,7 +410,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha
		return NULL;
		}

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_renegotiate,ret);
		s2n(el,ret);
		@@ -650,7 +651,7 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha

		ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_use_srtp,ret);
		s2n(el,ret);
		@@ -693,24 +694,25 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *p, unsigned cha
		}
		}

		if ((extdatalen = ret-p-2)== 0)
		return p;
		if ((extdatalen = ret-orig-2)== 0)
		return orig;

		s2n(extdatalen,p);
		s2n(extdatalen, orig);
		return ret;
		}

		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char p, unsigned char limit)
		unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char buf, unsigned char limit)
		{
		int extdatalen=0;
		unsigned char *ret = p;
		unsigned char *orig = buf;
		unsigned char *ret = buf;
		#ifndef OPENSSL_NO_NEXTPROTONEG
		int next_proto_neg_seen;
		#endif

		/* don't add extensions for SSLv3, unless doing secure renegotiation */
		if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
		return p;
		return orig;

		ret+=2;
		if (ret>=limit) return NULL; /* this really never occurs, but ... */
		@@ -733,7 +735,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha
		return NULL;
		}

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_renegotiate,ret);
		s2n(el,ret);
		@@ -813,7 +815,7 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha

		ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);

		if((limit - p - 4 - el) < 0) return NULL;
		if((limit - ret - 4 - el) < 0) return NULL;

		s2n(TLSEXT_TYPE_use_srtp,ret);
		s2n(el,ret);
		@@ -884,10 +886,10 @@ unsigned char ssl_add_serverhello_tlsext(SSL s, unsigned char *p, unsigned cha
		}
		#endif

		if ((extdatalen = ret-p-2)== 0)
		return p;
		if ((extdatalen = ret-orig-2)== 0)
		return orig;

		s2n(extdatalen,p);
		s2n(extdatalen, orig);
		return ret;
		}