reject zero length point format list or supported curves extensions

author Dr. Stephen Henson <steve@openssl.org>

Thu, 22 Nov 2012 14:15:36 +0000 (14:15 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Thu, 22 Nov 2012 14:15:36 +0000 (14:15 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Thu, 22 Nov 2012 14:15:36 +0000 (14:15 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Thu, 22 Nov 2012 14:15:36 +0000 (14:15 +0000)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index a438321a41e0298c5fa2ec750349eea34b1cd2b9..9b9fb356f8f25a35a331aec6fcb72721163bff2d 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1498,7 +1498,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                         int ellipticcurvelist_length = (*(sdata++) << 8);
                         ellipticcurvelist_length += (*(sdata++));
  
-                       if (ellipticcurvelist_length != size - 2)
+                       if (ellipticcurvelist_length != size - 2 ||
+                               ellipticcurvelist_length < 1)
                                 {
                                 *al = TLS1_AD_DECODE_ERROR;
                                 return 0;
@@ -1931,7 +1932,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
                         unsigned char *sdata = data;
                         int ecpointformatlist_length = *(sdata++);
  
-                       if (ecpointformatlist_length != size - 1)
+                       if (ecpointformatlist_length != size - 1 || 
+                               ecpointformatlist_length < 1)
                                 {
                                 *al = TLS1_AD_DECODE_ERROR;
                                 return 0;
author	Dr. Stephen Henson <steve@openssl.org>
	Thu, 22 Nov 2012 14:15:36 +0000 (14:15 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Thu, 22 Nov 2012 14:15:36 +0000 (14:15 +0000)