diff options
| -rw-r--r-- | lib/libssl/src/ssl/s3_clnt.c | 43 |
1 files changed, 26 insertions, 17 deletions
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index 1bbe2e686b3..eed6cb5215c 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_clnt.c,v 1.115 2015/07/14 03:27:20 doug Exp $ */ +/* $OpenBSD: s3_clnt.c,v 1.116 2015/07/14 03:33:16 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1784,9 +1784,11 @@ err: int ssl3_get_cert_status(SSL *s) { + CBS cert_status, response; + size_t stow_len; int ok, al; - unsigned long resplen, n; - const unsigned char *p; + long n; + uint8_t status_type; n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS, @@ -1794,36 +1796,43 @@ ssl3_get_cert_status(SSL *s) if (!ok) return ((int)n); - if (n < 4) { + + CBS_init(&cert_status, s->init_msg, n); + + if (n < 0 || !CBS_get_u8(&cert_status, &status_type) || + CBS_len(&cert_status) < 3) { /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); goto f_err; } - p = (unsigned char *)s->init_msg; - if (*p++ != TLSEXT_STATUSTYPE_ocsp) { + + if (status_type != TLSEXT_STATUSTYPE_ocsp) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE); goto f_err; } - n2l3(p, resplen); - if (resplen + 4 != n) { + + if (!CBS_get_u24_length_prefixed(&cert_status, &response) || + CBS_len(&cert_status) != 0) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); goto f_err; } - free(s->tlsext_ocsp_resp); - if ((s->tlsext_ocsp_resp = malloc(resplen)) == NULL) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, - ERR_R_MALLOC_FAILURE); - goto f_err; - } - memcpy(s->tlsext_ocsp_resp, p, resplen); - s->tlsext_ocsp_resplen = resplen; + + if (!CBS_stow(&response, &s->tlsext_ocsp_resp, + &stow_len) || stow_len > INT_MAX) { + s->tlsext_ocsp_resplen = 0; + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CERT_STATUS, + ERR_R_MALLOC_FAILURE); + goto f_err; + } + s->tlsext_ocsp_resplen = (int)stow_len; + if (s->ctx->tlsext_status_cb) { int ret; ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); |