Fix possible buffer overrun.

author Ben Laurie <ben@links.org>

Wed, 23 Apr 2014 17:13:20 +0000 (18:13 +0100)

committer Ben Laurie <ben@links.org>

Tue, 1 Jul 2014 22:39:17 +0000 (23:39 +0100)
author Ben Laurie <ben@links.org>
Wed, 23 Apr 2014 17:13:20 +0000 (18:13 +0100)
committer Ben Laurie <ben@links.org>
Tue, 1 Jul 2014 22:39:17 +0000 (23:39 +0100)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h

index eb4d8f2fa97bf7d42c454fdf0f4cd16c8e70945f..97cde4055d470d0cfeb2aa4d92bf4e60e880073c 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1096,8 +1096,8 @@ int tls1_ec_nid2curve_id(int nid);
  #endif /* OPENSSL_NO_EC */
  
  #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); 
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); 
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); 
  int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
  int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
  int ssl_prepare_clienthello_tlsext(SSL *s);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index f7abce9258ede420866813be7bdd1210c716bc55..f6a480d0e28a46946f9f45a4fbdc2f260e301680 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -352,15 +352,16 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
         return (int)slen;
         }
  
-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
         {
         int extdatalen=0;
-       unsigned char *ret = p;
+       unsigned char *orig = buf;
+       unsigned char *ret = buf;
  
         /* don't add extensions for SSLv3 unless doing secure renegotiation */
         if (s->client_version == SSL3_VERSION
                                         && !s->s3->send_connection_binding)
-               return p;
+               return orig;
  
         ret+=2;
  
@@ -409,7 +410,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                return NULL;
                }
  
-          if((limit - p - 4 - el) < 0) return NULL;
+          if((limit - ret - 4 - el) < 0) return NULL;
            
            s2n(TLSEXT_TYPE_renegotiate,ret);
            s2n(el,ret);
@@ -650,7 +651,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
  
                  ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
                  
-                if((limit - p - 4 - el) < 0) return NULL;
+                if((limit - ret - 4 - el) < 0) return NULL;
  
                  s2n(TLSEXT_TYPE_use_srtp,ret);
                  s2n(el,ret);
@@ -693,24 +694,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                         }
                 }
  
-       if ((extdatalen = ret-p-2)== 0) 
-               return p;
+       if ((extdatalen = ret-orig-2)== 0) 
+               return orig;
  
-       s2n(extdatalen,p);
+       s2n(extdatalen, orig);
         return ret;
         }
  
-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
+unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit)
         {
         int extdatalen=0;
-       unsigned char *ret = p;
+       unsigned char *orig = buf;
+       unsigned char *ret = buf;
  #ifndef OPENSSL_NO_NEXTPROTONEG
         int next_proto_neg_seen;
  #endif
  
         /* don't add extensions for SSLv3, unless doing secure renegotiation */
         if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
-               return p;
+               return orig;
         
         ret+=2;
         if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -733,7 +735,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                return NULL;
                }
  
-          if((limit - p - 4 - el) < 0) return NULL;
+          if((limit - ret - 4 - el) < 0) return NULL;
            
            s2n(TLSEXT_TYPE_renegotiate,ret);
            s2n(el,ret);
@@ -813,7 +815,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
  
                  ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
                  
-                if((limit - p - 4 - el) < 0) return NULL;
+                if((limit - ret - 4 - el) < 0) return NULL;
  
                  s2n(TLSEXT_TYPE_use_srtp,ret);
                  s2n(el,ret);
@@ -884,10 +886,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
                 }
  #endif
  
-       if ((extdatalen = ret-p-2)== 0) 
-               return p;
+       if ((extdatalen = ret-orig-2)== 0) 
+               return orig;
  
-       s2n(extdatalen,p);
+       s2n(extdatalen, orig);
         return ret;
         }
author	Ben Laurie <ben@links.org>
	Wed, 23 Apr 2014 17:13:20 +0000 (18:13 +0100)
committer	Ben Laurie <ben@links.org>
	Tue, 1 Jul 2014 22:39:17 +0000 (23:39 +0100)
ssl/ssl_locl.h		patch \| blob \| history
ssl/t1_lib.c		patch \| blob \| history