X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fs2_srvr.c;h=391287bfcd2b05b76747c170e48a0ee4d74cb5d2;hb=c046fffa16cd55c972f71c49051b8ce6b83eed7f;hp=582420bcffb182570d083f4c2aef99312658cee2;hpb=c23d16ac1987f453ade45d3b9927e62c02b17ce0;p=openssl.git

diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 582420bcff..391287bfcd 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -116,6 +116,7 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include "cryptlib.h"
 
 static SSL_METHOD *ssl2_get_server_method(int ver);
 static int get_client_master_key(SSL *s);
@@ -159,7 +160,7 @@ int ssl2_accept(SSL *s)
 	BUF_MEM *buf=NULL;
 	int ret= -1;
 	long num1;
-	void (*cb)()=NULL;
+	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int new_state,state;
 
 	RAND_add(&l,sizeof(l),0);
@@ -417,11 +418,18 @@ static int get_client_master_key(SSL *s)
 		n2s(p,i); s->s2->tmp.clear=i;
 		n2s(p,i); s->s2->tmp.enc=i;
 		n2s(p,i); s->session->key_arg_length=i;
+		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+			{
+			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
+				   SSL_R_KEY_ARG_TOO_LONG);
+			return -1;
+			}
 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
 		}
 
 	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
 	p=(unsigned char *)s->init_buf->data;
+	die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
 	keya=s->session->key_arg_length;
 	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
@@ -504,6 +512,7 @@ static int get_client_master_key(SSL *s)
 #endif
 
 	if (is_export) i+=s->s2->tmp.clear;
+	die(i <= SSL_MAX_MASTER_KEY_LENGTH);
 	s->session->master_key_length=i;
 	memcpy(s->session->master_key,p,(unsigned int)i);
 	return(1);
@@ -670,6 +679,7 @@ static int get_client_hello(SSL *s)
 	p+=s->s2->tmp.session_id_length;
 
 	/* challenge */
+	die(s->s2->challenge_length <= sizeof s->s2->challenge);
 	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
 	return(1);
 mem_err:
@@ -826,6 +836,7 @@ static int get_client_finished(SSL *s)
 		}
 
 	/* SSL2_ST_GET_CLIENT_FINISHED_B */
+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
 	len = 1 + (unsigned long)s->s2->conn_id_length;
 	n = (int)len - s->init_num;
 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
@@ -853,6 +864,7 @@ static int server_verify(SSL *s)
 		{
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_SERVER_VERIFY;
+		die(s->s2->challenge_length <= sizeof s->s2->challenge);
 		memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
 		/* p+=s->s2->challenge_length; */
 
@@ -872,6 +884,8 @@ static int server_finish(SSL *s)
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_SERVER_FINISHED;
 
+		die(s->session->session_id_length
+		    <= sizeof s->session->session_id);
 		memcpy(p,s->session->session_id,
 			(unsigned int)s->session->session_id_length);
 		/* p+=s->session->session_id_length; */