Commit 3ff55e96 authored by Mark J. Cox's avatar Mark J. Cox
Browse files

Fix buffer overflow in SSL_get_shared_ciphers() function. 

(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]

Fix SSL client code which could crash if connecting to a
 malicious SSLv2 server.  (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
parent cbb92dfa

CHANGES

+21 −0
Original line number Diff line number Diff line
@@ -4,6 +4,13 @@ 


 Changes between 0.9.8d and 0.9.9  [xx XXX xxxx]



  *) Fix buffer overflow in SSL_get_shared_ciphers() function.

     (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]



  *) Fix SSL client code which could crash if connecting to a

     malicious SSLv2 server.  (CVE-2006-4343)

     [Tavis Ormandy and Will Drewry, Google Security Team]



  *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected

     to external functions. This can be used to increase CRL handling 

     efficiency especially when CRLs are very large by (for example) storing
@@ -408,6 +415,20 @@ 


 Changes between 0.9.8c and 0.9.8d  [xx XXX xxxx]



  *) Introduce limits to prevent malicious keys being able to

     cause a denial of service.  (CVE-2006-2940)

     [Steve Henson, Bodo Moeller]



  *) Fix ASN.1 parsing of certain invalid structures that can result

     in a denial of service.  (CVE-2006-2937)  [Steve Henson]



  *) Fix buffer overflow in SSL_get_shared_ciphers() function. 

     (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]



  *) Fix SSL client code which could crash if connecting to a

     malicious SSLv2 server.  (CVE-2006-4343)

     [Tavis Ormandy and Will Drewry, Google Security Team]



  *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites

     match only those.  Before that, "AES256-SHA" would be interpreted

     as a pattern and match "AES128-SHA" too (since AES128-SHA got

ssl/s2_clnt.c

+2 −1
Original line number Diff line number Diff line
@@ -520,7 +520,8 @@ static int get_server_hello(SSL *s) 
		CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);

		}



	if (s->session->peer != s->session->sess_cert->peer_key->x509)

	if (s->session->sess_cert == NULL 

      || s->session->peer != s->session->sess_cert->peer_key->x509)

		/* can't happen */

		{

		ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);

ssl/s3_srvr.c

+1 −1
Original line number Diff line number Diff line
@@ -2089,7 +2089,7 @@ int ssl3_get_client_key_exchange(SSL *s) 


                if (kssl_ctx->client_princ)

                        {

                        int len = strlen(kssl_ctx->client_princ);

                        size_t len = strlen(kssl_ctx->client_princ);

                        if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 

                                {

                                s->session->krb5_client_princ_len = len;

ssl/ssl_lib.c

+1 −1
Original line number Diff line number Diff line
@@ -1272,7 +1272,7 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 
		c=sk_SSL_CIPHER_value(sk,i);

		for (cp=c->name; *cp; )

			{

			if (len-- == 0)

			if (len-- <= 0)

				{

				*p='\0';

				return(buf);