Commit 8d038a08 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

The fix for CVE-2012-2110 did not take into account that the 

'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.

Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.
parent 747c6ffd

CHANGES

+5 −1
Original line number Diff line number Diff line
@@ -4,7 +4,11 @@ 


 Changes between 0.9.8v and 0.9.8w [xx XXX xxxx]



  *)

  *) The fix for CVE-2012-2110 did not take into account that the 

     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an

     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 

     rejecting negative len parameter. (CVE-2012-2131)

     [Tomas Hoger <thoger@redhat.com>]



 Changes between 0.9.8u and 0.9.8v [19 Apr 2012]

crypto/buffer/buffer.c

+10 −0
Original line number Diff line number Diff line
@@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len) 
	char *ret;

	unsigned int n;



	if (len < 0)

		{

		BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);

		return 0;

		}

	if (str->length >= len)

		{

		str->length=len;
@@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len) 
	char *ret;

	unsigned int n;



	if (len < 0)

		{

		BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);

		return 0;

		}

	if (str->length >= len)

		{

		memset(&str->data[len],0,str->length-len);