diff options
| author |   markus <markus@openbsd.org> | 2002-07-30 11:08:05 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2002-07-30 11:08:05 +0000 |
| commit | 428837d1af6ee7883726f5a6f82d6bae10ac0025 (patch) | |
| tree | 6cad96e6d9a4f7e09d07030b70c21d9902cf5e9b /lib/libssl/src/ssl/s2_srvr.c | |
| parent | strip_chroot here as well. (diff) | |
| download | wireguard-openbsd-428837d1af6ee7883726f5a6f82d6bae10ac0025.tar.xz wireguard-openbsd-428837d1af6ee7883726f5a6f82d6bae10ac0025.zip | |
apply patches from OpenSSL Security Advisory [30 July 2002],
http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2
Diffstat (limited to 'lib/libssl/src/ssl/s2_srvr.c')
| -rw-r--r-- | lib/libssl/src/ssl/s2_srvr.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/libssl/src/ssl/s2_srvr.c b/lib/libssl/src/ssl/s2_srvr.c index 56da65195e7..a83605a1b76 100644 --- a/lib/libssl/src/ssl/s2_srvr.c +++ b/lib/libssl/src/ssl/s2_srvr.c @@ -116,6 +116,7 @@ #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> +#include "ssl_locl.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); @@ -417,11 +418,18 @@ static int get_client_master_key(SSL *s) n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; + if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, + SSL_R_KEY_ARG_TOO_LONG); + return -1; + } s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; + die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); keya=s->session->key_arg_length; len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) @@ -504,6 +512,7 @@ static int get_client_master_key(SSL *s) #endif if (is_export) i+=s->s2->tmp.clear; + die(i <= SSL_MAX_MASTER_KEY_LENGTH); s->session->master_key_length=i; memcpy(s->session->master_key,p,(unsigned int)i); return(1); @@ -670,6 +679,7 @@ static int get_client_hello(SSL *s) p+=s->s2->tmp.session_id_length; /* challenge */ + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); return(1); mem_err: @@ -826,6 +836,7 @@ static int get_client_finished(SSL *s) } /* SSL2_ST_GET_CLIENT_FINISHED_B */ + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); len = 1 + (unsigned long)s->s2->conn_id_length; n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); @@ -853,6 +864,7 @@ static int server_verify(SSL *s) { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_VERIFY; + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); /* p+=s->s2->challenge_length; */ @@ -872,6 +884,8 @@ static int server_finish(SSL *s) p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_FINISHED; + die(s->session->session_id_length + <= sizeof s->session->session_id); memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); /* p+=s->session->session_id_length; */ |