Skip to content
Commit 321ba858 authored by Emilia Kasper's avatar Emilia Kasper
Browse files

Reject elliptic curve lists of odd lengths.



The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.

Thanks to Felix Groebert of the Google Security Team for reporting this issue.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 33d5ba86)
parent fcabfc66
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment