diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-12-06 13:28:57 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-12-06 13:28:57 +0000 |
| commit | ea0586b18e6c30ae314a7cced53b5bd49801603b (patch) | |
| tree | a1282c5e420c57a1edccc059701d32de27952746 | |
| parent | 4bb6b073d26c974f7c9351606de6bbe90cf0a3bf (diff) | |
Ensure that the client specified EC curve list length is a multiple of two.
The EC curve handling code assumes this to be the case and will read one
byte off the end of the curve list during processing, in the case where it
is not.
ok miod@
| -rw-r--r-- | lib/libssl/t1_lib.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c index 3412e70d307..5a6c0ddba0d 100644 --- a/lib/libssl/t1_lib.c +++ b/lib/libssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.69 2014/12/06 13:21:14 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.70 2014/12/06 13:28:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1370,7 +1370,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || - ellipticcurvelist_length < 1) { + ellipticcurvelist_length < 1 || + ellipticcurvelist_length % 2 != 0) { *al = TLS1_AD_DECODE_ERROR; return 0; } |