summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-12-06 13:21:15 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-12-06 13:21:15 +0000
commit4bb6b073d26c974f7c9351606de6bbe90cf0a3bf (patch)
treefb078014182b46e5d5b0f54add38a7b4c290222a /lib/libssl
parent20e72b5ce20a488fd72f501a383622e4ac471476 (diff)
Fix two cases where it is possible to read one or two bytes past the end of
the buffer. The later size check would catch this, however reading first and checking later is less than ideal. ok miod@
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/t1_lib.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c
index 2a53b09ed23..3412e70d307 100644
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.68 2014/12/02 20:46:19 miod Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.69 2014/12/06 13:21:14 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1334,7 +1334,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
else if (type == TLSEXT_TYPE_ec_point_formats &&
s->version != DTLS1_VERSION) {
unsigned char *sdata = data;
- int ecpointformatlist_length = *(sdata++);
+ int ecpointformatlist_length;
+
+ if (size < 1) {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ ecpointformatlist_length = *(sdata++);
if (ecpointformatlist_length != size - 1) {
*al = TLS1_AD_DECODE_ERROR;
@@ -1354,7 +1360,13 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
} else if (type == TLSEXT_TYPE_elliptic_curves &&
s->version != DTLS1_VERSION) {
unsigned char *sdata = data;
- int ellipticcurvelist_length = (*(sdata++) << 8);
+ int ellipticcurvelist_length;
+
+ if (size < 2) {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ ellipticcurvelist_length = (*(sdata++) << 8);
ellipticcurvelist_length += (*(sdata++));
if (ellipticcurvelist_length != size - 2 ||