Reject elliptic curve lists of odd lengths.

The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.

Thanks to Felix Groebert of the Google Security Team for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e0f28d254ba2be11a0b5fae220ff70bee7c2cb31..c5c8bb95f3a31e81b0be5e2f9737931c62ed3129 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2155,7 +2155,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                        ellipticcurvelist_length += (*(sdata++));
 
                        if (ellipticcurvelist_length != size - 2 ||
-                               ellipticcurvelist_length < 1)
+                               ellipticcurvelist_length < 1 ||
+                               /* Each NamedCurve is 2 bytes. */
+                               ellipticcurvelist_length & 1)
                                {
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;