46 lines
1.8 KiB
Diff
46 lines
1.8 KiB
Diff
From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001
|
|
From: Gabor Tyukasz <Gabor.Tyukasz@logmein.com>
|
|
Date: Wed, 23 Jul 2014 23:42:06 +0200
|
|
Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext
|
|
|
|
CVE-2014-3509
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
|
|
---
|
|
ssl/t1_lib.c | 17 ++++++++++-------
|
|
1 file changed, 10 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
index 8167a51..022a4fb 100644
|
|
--- a/ssl/t1_lib.c
|
|
+++ b/ssl/t1_lib.c
|
|
@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|
*al = TLS1_AD_DECODE_ERROR;
|
|
return 0;
|
|
}
|
|
- s->session->tlsext_ecpointformatlist_length = 0;
|
|
- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
|
|
- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
|
|
+ if (!s->hit)
|
|
{
|
|
- *al = TLS1_AD_INTERNAL_ERROR;
|
|
- return 0;
|
|
+ s->session->tlsext_ecpointformatlist_length = 0;
|
|
+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
|
|
+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
|
|
+ {
|
|
+ *al = TLS1_AD_INTERNAL_ERROR;
|
|
+ return 0;
|
|
+ }
|
|
+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
|
|
+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
|
|
}
|
|
- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
|
|
- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
|
|
#if 0
|
|
fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
|
|
sdata = s->session->tlsext_ecpointformatlist;
|
|
--
|
|
1.8.3.1
|
|
|