backport fix from the stable branch
authorNils Larsch <nils@openssl.org>
Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
committerNils Larsch <nils@openssl.org>
Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
ChangeLog.0_9_7-stable_not-in-head
ssl/s3_pkt.c
ssl/s3_srvr.c

index b689ca2..51a24c8 100644 (file)
@@ -165,28 +165,6 @@ be added to the end of this file.
 
        DES CFB8 test.
 
-2004-03-17 05:01  mark
-
-       Changed:
-               CHANGES (1.977.2.128), "Exp", lines: +9 -1
-               FAQ (1.61.2.30), "Exp", lines: +1 -1
-               LICENSE (1.7.2.3), "Exp", lines: +1 -1
-               NEWS (1.39.2.21), "Exp", lines: +8 -0
-               README (1.39.2.24), "Exp", lines: +2 -2
-               STATUS (1.211.2.41), "Exp", lines: +4 -1
-               openssl.spec (1.6.2.6), "Exp", lines: +1 -1
-               crypto/opensslv.h (1.40.2.21), "Exp", lines: +2 -2
-               ssl/s3_pkt.c (1.46.2.6), "Exp", lines: +8 -0
-               ssl/s3_srvr.c (1.85.2.20), "Exp", lines: +16 -0
-
-       Fix null-pointer assignment in do_change_cipher_spec() revealed by
-       using the Codenomicon TLS Test Tool (CAN-2004-0079) Fix flaw in
-       SSL/TLS handshaking when using Kerberos ciphersuites
-       (CAN-2004-0112) Ready for 0.9.7d build
-
-               Submitted by: Steven Henson Reviewed by: Joe Orton Approved
-       by: Mark Cox
-
 2004-05-12 16:11  ben
 
        Changed:
index f92ec59..a24cec2 100644 (file)
@@ -1087,6 +1087,14 @@ start:
                        goto f_err;
                        }
 
+               /* Check we have a cipher to change to */
+               if (s->s3->tmp.new_cipher == NULL)
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+                       goto f_err;
+                       }
+
                rr->length=0;
 
                if (s->msg_callback)
index 7bb68e0..6daf703 100644 (file)
@@ -1883,11 +1883,27 @@ int ssl3_get_client_key_exchange(SSL *s)
 
                n2s(p,i);
                enc_ticket.length = i;
+
+               if (n < enc_ticket.length + 6)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                       goto err;
+                       }
+
                enc_ticket.data = (char *)p;
                p+=enc_ticket.length;
 
                n2s(p,i);
                authenticator.length = i;
+
+               if (n < enc_ticket.length + authenticator.length + 6)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                       goto err;
+                       }
+
                authenticator.data = (char *)p;
                p+=authenticator.length;