Reject elliptic curve lists of odd lengths.

The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.

Thanks to Felix Groebert of the Google Security Team for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 33d5ba862939ff8db70a9e36fc9a326fab3e8d98)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d02ae19d58f47560a5f512d8dc1ebaf8f6fc8cc0..3ef5bed1fb0c6c8db511fc58acc0157584089869 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2171,7 +2171,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
                        ellipticcurvelist_length += (*(sdata++));
 
                        if (ellipticcurvelist_length != size - 2 ||
-                               ellipticcurvelist_length < 1)
+                               ellipticcurvelist_length < 1 ||
+                               /* Each NamedCurve is 2 bytes. */
+                               ellipticcurvelist_length & 1)
                                {
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;