Commit 83a1d4b2 authored by Matt Caswell's avatar Matt Caswell
Browse files

Fix length check writing status request extension 



The status request extension did not correctly check its length, meaning
that writing the extension could go 2 bytes beyond the buffer size. In
practice this makes little difference because, due to logic in buffer.c the
buffer is actually over allocated by approximately 5k!

Issue reported by Guido Vranken.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent 57aa2f15

ssl/t1_lib.c

+8 −1
Original line number Diff line number Diff line
@@ -1479,7 +1479,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, 
        } else

            extlen = 0;



        if ((long)(limit - ret - 7 - extlen - idlen) < 0)

        /*

         * 2 bytes for status request type

         * 2 bytes for status request len

         * 1 byte for OCSP request type

         * 2 bytes for length of ids

         * 2 bytes for length of extensions

         */

        if ((long)(limit - ret - 9 - extlen - idlen) < 0)

            return NULL;

        s2n(TLSEXT_TYPE_status_request, ret);

        if (extlen + idlen > 0xFFF0)