Skip to content
  1. Sep 28, 2016
  2. Sep 27, 2016
  3. Sep 26, 2016
  4. Sep 22, 2016
  5. Sep 21, 2016
    • Andy Polyakov's avatar
      db610cb2
    • Matt Caswell's avatar
      Excessive allocation of memory in dtls1_preprocess_fragment() · df6b5e29
      Matt Caswell authored
      
      
      This issue is very similar to CVE-2016-6307 described in the previous
      commit. The underlying defect is different but the security analysis and
      impacts are the same except that it impacts DTLS.
      
      A DTLS message includes 3 bytes for its length in the header for the
      message.
      This would allow for messages up to 16Mb in length. Messages of this length
      are excessive and OpenSSL includes a check to ensure that a peer is sending
      reasonably sized messages in order to avoid too much memory being consumed
      to service a connection. A flaw in the logic of version 1.1.0 means that
      memory for the message is allocated too early, prior to the excessive
      message length check. Due to way memory is allocated in OpenSSL this could
      mean an attacker could force up to 21Mb to be allocated to service a
      connection. This could lead to a Denial of Service through memory
      exhaustion. However, the excessive message length check still takes place,
      and this would cause the connection to immediately fail. Assuming that the
      application calls SSL_free() on the failed conneciton in a timely manner
      then the 21Mb of allocated memory will then be immediately freed again.
      Therefore the excessive memory allocation will be transitory in nature.
      This then means that there is only a security impact if:
      
      1) The application does not call SSL_free() in a timely manner in the
      event that the connection fails
      or
      2) The application is working in a constrained environment where there
      is very little free memory
      or
      3) The attacker initiates multiple connection attempts such that there
      are multiple connections in a state where memory has been allocated for
      the connection; SSL_free() has not yet been called; and there is
      insufficient memory to service the multiple requests.
      
      Except in the instance of (1) above any Denial Of Service is likely to
      be transitory because as soon as the connection fails the memory is
      subsequently freed again in the SSL_free() call. However there is an
      increased risk during this period of application crashes due to the lack
      of memory - which would then mean a more serious Denial of Service.
      
      This issue does not affect TLS users.
      
      Issue was reported by Shi Lei (Gear Team, Qihoo 360 Inc.).
      
      CVE-2016-6308
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit 48c054fe)
      df6b5e29
    • Matt Caswell's avatar
      Excessive allocation of memory in tls_get_message_header() · 4b390b6c
      Matt Caswell authored
      
      
      A TLS message includes 3 bytes for its length in the header for the message.
      This would allow for messages up to 16Mb in length. Messages of this length
      are excessive and OpenSSL includes a check to ensure that a peer is sending
      reasonably sized messages in order to avoid too much memory being consumed
      to service a connection. A flaw in the logic of version 1.1.0 means that
      memory for the message is allocated too early, prior to the excessive
      message length check. Due to way memory is allocated in OpenSSL this could
      mean an attacker could force up to 21Mb to be allocated to service a
      connection. This could lead to a Denial of Service through memory
      exhaustion. However, the excessive message length check still takes place,
      and this would cause the connection to immediately fail. Assuming that the
      application calls SSL_free() on the failed conneciton in a timely manner
      then the 21Mb of allocated memory will then be immediately freed again.
      Therefore the excessive memory allocation will be transitory in nature.
      This then means that there is only a security impact if:
      
      1) The application does not call SSL_free() in a timely manner in the
      event that the connection fails
      or
      2) The application is working in a constrained environment where there
      is very little free memory
      or
      3) The attacker initiates multiple connection attempts such that there
      are multiple connections in a state where memory has been allocated for
      the connection; SSL_free() has not yet been called; and there is
      insufficient memory to service the multiple requests.
      
      Except in the instance of (1) above any Denial Of Service is likely to
      be transitory because as soon as the connection fails the memory is
      subsequently freed again in the SSL_free() call. However there is an
      increased risk during this period of application crashes due to the lack
      of memory - which would then mean a more serious Denial of Service.
      
      This issue does not affect DTLS users.
      
      Issue was reported by Shi Lei (Gear Team, Qihoo 360 Inc.).
      
      CVE-2016-6307
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit c1ef7c97)
      4b390b6c
    • Andy Polyakov's avatar
      Configure: clarify and refine -static. · f757ce2a
      Andy Polyakov authored
      
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit 047d97af)
      f757ce2a
    • Matt Caswell's avatar
      Don't leak on an OPENSSL_realloc() failure · 1fdeda4c
      Matt Caswell authored
      
      
      If OPENSSL_sk_insert() calls OPENSSL_realloc() and it fails, it was leaking
      the originally allocated memory.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 41bff723)
      1fdeda4c
    • Matt Caswell's avatar
      Don't allow too many consecutive warning alerts · 6915f39e
      Matt Caswell authored
      
      
      Certain warning alerts are ignored if they are received. This can mean that
      no progress will be made if one peer continually sends those warning alerts.
      Implement a count so that we abort the connection if we receive too many.
      
      Issue reported by Shi Lei.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit af58be76)
      6915f39e
    • Andy Polyakov's avatar
      rand/randfile.c: treat empty string in RAND_file_name as error. · e7498968
      Andy Polyakov authored
      
      
      Suggested in GH#1589.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 7dc0ad4d)
      e7498968
    • Andy Polyakov's avatar
      rand/randfile.c: rationalize __OpenBSD__ code path. · 13af417b
      Andy Polyakov authored
      
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit ba8fa4e5)
      13af417b
    • Andy Polyakov's avatar
      rand/randfile.c: restore fallback to $HOME for non-setuid programs. · 098dc9be
      Andy Polyakov authored
      
      
      Reported in GH#1589, but solution is different from suggested.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (cherry picked from commit 799c1293)
      098dc9be
    • Rich Salz's avatar
      Dcoument -alpn flag · 7b368cd6
      Rich Salz authored
      
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit 776e15f9)
      7b368cd6
    • Rich Salz's avatar
      GH1555: Don't bump size on realloc failure · bf0404fe
      Rich Salz authored
      
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (cherry picked from commit 6fcace45)
      bf0404fe
    • Alessandro Ghedini's avatar
      Use switch instead of multiple ifs · 64d1cc09
      Alessandro Ghedini authored
      
      
      Makes the logic a little bit clearer.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/1571)
      (cherry picked from commit 4f8a5f4d)
      64d1cc09