Commit c46ecc3a authored May 10, 2012 by Dr. Stephen Henson

Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and

DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)

parent 7388b43c

CHANGES

+8 −0

Original line number	Diff line number	Diff line
		@@ -292,6 +292,14 @@

		Changes between 1.0.1b and 1.0.1c [xx XXX xxxx]

		*) Sanity check record length before skipping explicit IV in TLS
		1.2, 1.1 and DTLS to avoid DoS attack.

		Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
		fuzzing as a service testing platform.
		(CVE-2012-2333)
		[Steve Henson]

		*) Initialise tkeylen properly when encrypting CMS messages.
		Thanks to Solar Designer of Openwall for reporting this issue.
		[Steve Henson]

ssl/d1_enc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -260,7 +260,7 @@ int dtls1_enc(SSL *s, int send)
		}
		/* TLS 1.0 does not bound the number of padding bytes by the block size.
		* All of them must have value 'padding_length'. */
		if (i > (int)rec->length)
		if (i + bs > (int)rec->length)
		{
		/* Incorrect padding. SSLerr() and ssl3_alert are done
		* by caller: we don't want to reveal whether this is

ssl/t1_enc.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -889,6 +889,8 @@ int tls1_enc(SSL *s, int send)
		if (s->version >= TLS1_1_VERSION
		&& EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
		{
		if (bs > (int)rec->length)
		return -1;
		rec->data += bs; /* skip the explicit IV */
		rec->input += bs;
		rec->length -= bs;