Fix length check writing status request extension (83a1d4b2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

The status request extension did not correctly check its length, meaning that writing the extension could go 2 bytes beyond the buffer size. In practice this makes little difference because, due to logic in buffer.c the buffer is actually over allocated by approximately 5k! Issue reported by Guido Vranken. Reviewed-by:

Rich Salz <rsalz@openssl.org>

ssl/t1_lib.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -1479,7 +1479,14 @@ unsigned char ssl_add_clienthello_tlsext(SSL s, unsigned char *buf,
		} else
		extlen = 0;

		if ((long)(limit - ret - 7 - extlen - idlen) < 0)
		/*
		* 2 bytes for status request type
		* 2 bytes for status request len
		* 1 byte for OCSP request type
		* 2 bytes for length of ids
		* 2 bytes for length of extensions
		*/
		if ((long)(limit - ret - 9 - extlen - idlen) < 0)
		return NULL;
		s2n(TLSEXT_TYPE_status_request, ret);
		if (extlen + idlen > 0xFFF0)

Admin message