Commit 607e7730 authored by Alessandro Ghedini's avatar Alessandro Ghedini Committed by Matt Caswell
Browse files

Validate ClientHello session_id field length and send alert on failure 



RT#4080

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 0555901c

ssl/s2_srvr.c

+5 −0
Original line number Diff line number Diff line
@@ -598,6 +598,11 @@ static int get_client_hello(SSL *s) 
        s->s2->tmp.cipher_spec_length = i;

        n2s(p, i);

        s->s2->tmp.session_id_length = i;

        if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) {

            ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);

            SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);

            return -1;

        }

        n2s(p, i);

        s->s2->challenge_length = i;

        if ((i < SSL2_MIN_CHALLENGE_LENGTH) ||

ssl/s3_srvr.c

+6 −0
Original line number Diff line number Diff line
@@ -1004,6 +1004,12 @@ int ssl3_get_client_hello(SSL *s) 
        goto f_err;

    }



    if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) {

        al = SSL_AD_DECODE_ERROR;

        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);

        goto f_err;

    }



    s->hit = 0;

    /*

     * Versions before 0.9.7 always allow clients to resume sessions in

ssl/ssl_sess.c

+0 −3
Original line number Diff line number Diff line
@@ -573,9 +573,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, 
    int r;

#endif



    if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH)

        goto err;



    if (session_id + len > limit) {

        fatal = 1;

        goto err;