Fix small OOB reads. (ff553f83) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/s3_clnt.c

+11 −0

Original line number	Diff line number	Diff line
		@@ -1216,6 +1216,12 @@ int ssl3_get_server_certificate(SSL *s)
		goto f_err;
		}
		for (nc = 0; nc < llen;) {
		if (nc + 3 > llen) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
		SSL_R_CERT_LENGTH_MISMATCH);
		goto f_err;
		}
		n2l3(p, l);
		if ((l + nc + 3) > llen) {
		al = SSL_AD_DECODE_ERROR;
		@@ -2171,6 +2177,11 @@ int ssl3_get_certificate_request(SSL *s)
		}

		for (nc = 0; nc < llen;) {
		if (nc + 2 > llen) {
		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
		goto err;
		}
		n2s(p, l);
		if ((l + nc + 2) > llen) {
		if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))

+6 −0

Original line number	Diff line number	Diff line
		@@ -3220,6 +3220,12 @@ int ssl3_get_client_certificate(SSL *s)
		goto f_err;
		}
		for (nc = 0; nc < llen;) {
		if (nc + 3 > llen) {
		al = SSL_AD_DECODE_ERROR;
		SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
		SSL_R_CERT_LENGTH_MISMATCH);
		goto f_err;
		}
		n2l3(p, l);
		if ((l + nc + 3) > llen) {
		al = SSL_AD_DECODE_ERROR;