Handle the unlikely event that BIO_get_mem_data() returns -ve.

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5cea73ca1abcbedaf7c06d5482d1e7dd66af734c..af97a7e1382a0fb7226278fcf6b4a1b27f8e33d0 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -871,7 +871,8 @@ int ssl3_get_server_hello(SSL *s)
                        }
                }
        s->s3->tmp.new_cipher=c;
-       ssl3_digest_cached_records(s);
+       if (!ssl3_digest_cached_records(s))
+               goto f_err;
 
        /* lets get the compression algorithm */
        /* COMPRESSION */

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index a7943aba81e140d36f68e1a5b5fb4e7fa8ca37df..8e484d3b0c7e2835f5d33883a4042efd38522df1 100644 (file)
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -580,37 +580,47 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
                        }
                }       
        }
-void ssl3_digest_cached_records(SSL *s)
+
+int ssl3_digest_cached_records(SSL *s)
        {
-               int i;
-               long mask;
-               const EVP_MD *md;
-               long hdatalen;
-               void *hdata;
-               /* Allocate handshake_dgst array */
-               ssl3_free_digest_list(s);
-               s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
-               memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
-               hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
-               /* Loop through bitso of algorithm2 field and create MD_CTX-es */
-               for (i=0;ssl_get_handshake_digest(i,&mask,&md); i++) 
+       int i;
+       long mask;
+       const EVP_MD *md;
+       long hdatalen;
+       void *hdata;
+
+       /* Allocate handshake_dgst array */
+       ssl3_free_digest_list(s);
+       s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+       memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
+       hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
+       if (hdatalen <= 0)
+               {
+               SSLerr(SSL_F_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
+               return 0;
+               }
+
+       /* Loop through bitso of algorithm2 field and create MD_CTX-es */
+       for (i=0;ssl_get_handshake_digest(i,&mask,&md); i++) 
+               {
+               if ((mask & s->s3->tmp.new_cipher->algorithm2) && md) 
                        {
-                               if ((mask & s->s3->tmp.new_cipher->algorithm2) && md) 
-                               {
-                                       s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
-                                       EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
-                                       EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
-                               } 
-                               else 
-                               {       
-                                       s->s3->handshake_dgst[i]=NULL;
-                               }
+                       s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
+                       EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
+                       EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
+                       } 
+               else 
+                       {       
+                       s->s3->handshake_dgst[i]=NULL;
                        }
-               /* Free handshake_buffer BIO */
-               BIO_free(s->s3->handshake_buffer);
-               s->s3->handshake_buffer = NULL;
+               }
+       /* Free handshake_buffer BIO */
+       BIO_free(s->s3->handshake_buffer);
+       s->s3->handshake_buffer = NULL;
 
+       return 1;
        }
+
 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
        {
        return(ssl3_handshake_mac(s,md_nid,NULL,0,p));
@@ -632,8 +642,10 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
        unsigned int i;
        unsigned char md_buf[EVP_MAX_MD_SIZE];
        EVP_MD_CTX ctx,*d=NULL;
+
        if (s->s3->handshake_buffer) 
-               ssl3_digest_cached_records(s);
+               if (!ssl3_digest_cached_records(s))
+                       return 0;
 
        /* Search for djgest of specified type  in the handshake_dgst
         * array*/

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 876d0caf38afd52f8275f310ef1ec3e415999274..5cc3a196d79860e93415f902fdbc0c337b274a12 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -531,7 +531,8 @@ int ssl3_accept(SSL *s)
                                 * should be generalized. But it is next step
                                 */
                                if (s->s3->handshake_buffer)
-                                       ssl3_digest_cached_records(s);
+                                       if (!ssl3_digest_cached_records(s))
+                                               return -1;
                                for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)    
                                        if (s->s3->handshake_dgst[dgst_num]) 
                                                {
@@ -1158,7 +1159,8 @@ int ssl3_get_client_hello(SSL *s)
                s->s3->tmp.new_cipher=s->session->cipher;
                }
 
-       ssl3_digest_cached_records(s);
+       if (!ssl3_digest_cached_records(s))
+               goto f_err;
        
        /* we now have the following setup. 
         * client_random

diff --git a/ssl/ssl.h b/ssl/ssl.h
index e43b5c27c6db5dba22d4f1490c2f540c1ceec2f1..64173af1cc4030a26538ad342852cedd03d68d90 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1784,6 +1784,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_CLIENT_HELLO                              101
 #define SSL_F_CLIENT_MASTER_KEY                                 102
 #define SSL_F_D2I_SSL_SESSION                           103
+#define SSL_F_DIGEST_CACHED_RECORDS                     293
 #define SSL_F_DO_DTLS1_WRITE                            245
 #define SSL_F_DO_SSL3_WRITE                             104
 #define SSL_F_DTLS1_ACCEPT                              246
@@ -1945,6 +1946,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SET_RFD                               194
 #define SSL_F_SSL_SET_SESSION                           195
 #define SSL_F_SSL_SET_SESSION_ID_CONTEXT                218
+#define SSL_F_SSL_SET_SESSION_TICKET_EXT                294
 #define SSL_F_SSL_SET_TRUST                             228
 #define SSL_F_SSL_SET_WFD                               196
 #define SSL_F_SSL_SHUTDOWN                              224
@@ -1972,7 +1974,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_PRF                                  284
 #define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
 #define SSL_F_WRITE_PENDING                             212
-#define SSL_F_SSL_SET_SESSION_TICKET_EXT                213
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE                     100
@@ -1991,6 +1992,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_BAD_ECC_CERT                              304
 #define SSL_R_BAD_ECDSA_SIGNATURE                       305
 #define SSL_R_BAD_ECPOINT                               306
+#define SSL_R_BAD_HANDSHAKE_LENGTH                      332
 #define SSL_R_BAD_HELLO_REQUEST                                 105
 #define SSL_R_BAD_LENGTH                                271
 #define SSL_R_BAD_MAC_DECODE                            113

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 817b67e2d298be8dbd42f5ca97a874567b987b41..7879a3194e2be2714bb295431e4676bce154d069 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -75,6 +75,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_CLIENT_HELLO), "CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),    "CLIENT_MASTER_KEY"},
 {ERR_FUNC(SSL_F_D2I_SSL_SESSION),      "d2i_SSL_SESSION"},
+{ERR_FUNC(SSL_F_DIGEST_CACHED_RECORDS),        "DIGEST_CACHED_RECORDS"},
 {ERR_FUNC(SSL_F_DO_DTLS1_WRITE),       "DO_DTLS1_WRITE"},
 {ERR_FUNC(SSL_F_DO_SSL3_WRITE),        "DO_SSL3_WRITE"},
 {ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
@@ -236,6 +237,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_SET_RFD),  "SSL_set_rfd"},
 {ERR_FUNC(SSL_F_SSL_SET_SESSION),      "SSL_set_session"},
 {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),   "SSL_set_session_id_context"},
+{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),   "SSL_set_session_ticket_ext"},
 {ERR_FUNC(SSL_F_SSL_SET_TRUST),        "SSL_set_trust"},
 {ERR_FUNC(SSL_F_SSL_SET_WFD),  "SSL_set_wfd"},
 {ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
@@ -263,7 +265,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_TLS1_PRF),     "tls1_prf"},
 {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
 {ERR_FUNC(SSL_F_WRITE_PENDING),        "WRITE_PENDING"},
-{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
 {0,NULL}
        };
 
@@ -285,6 +286,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_BAD_ECC_CERT)          ,"bad ecc cert"},
 {ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE)   ,"bad ecdsa signature"},
 {ERR_REASON(SSL_R_BAD_ECPOINT)           ,"bad ecpoint"},
+{ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH)  ,"bad handshake length"},
 {ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     ,"bad hello request"},
 {ERR_REASON(SSL_R_BAD_LENGTH)            ,"bad length"},
 {ERR_REASON(SSL_R_BAD_MAC_DECODE)        ,"bad mac decode"},

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 30bd74676ca51ab98a89b2fb7045b8035d27f93d..9df4be54c6b55ad3ee261d4f15aa75b8179ad880 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -880,7 +880,7 @@ int ssl3_setup_read_buffer(SSL *s);
 int    ssl3_setup_write_buffer(SSL *s);
 int    ssl3_release_read_buffer(SSL *s);
 int    ssl3_release_write_buffer(SSL *s);
-void ssl3_digest_cached_records(SSL *s);
+int    ssl3_digest_cached_records(SSL *s);
 int    ssl3_new(SSL *s);
 void   ssl3_free(SSL *s);
 int    ssl3_accept(SSL *s);

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 3a349920d9cd2144e73472f43b98f46fc59c74cf..4d9a18e3a6679fcb85f389189d22a93b8177da5e 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -749,7 +749,9 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
        int i;
 
        if (s->s3->handshake_buffer) 
-               ssl3_digest_cached_records(s);
+               if (!ssl3_digest_cached_records(s))
+                       return 0;
+
        for (i=0;i<SSL_MAX_DIGEST;i++) 
                {
                  if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) 
@@ -784,10 +786,11 @@ int tls1_final_finish_mac(SSL *s,
 
        q=buf;
 
-       EVP_MD_CTX_init(&ctx);
-
        if (s->s3->handshake_buffer) 
-               ssl3_digest_cached_records(s);
+               if (!ssl3_digest_cached_records(s))
+                       return 0;
+
+       EVP_MD_CTX_init(&ctx);
 
        for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
                {