fix for CVE-2011-0014 "OCSP stapling vulnerability";

ok markus@ jasper@ miod@ AFAIK nothing in base uses this, though apache2 from ports may be affected.
author: djm <djm@openbsd.org> 2011-02-10 22:40:27 +0000
committer: djm <djm@openbsd.org> 2011-02-10 22:40:27 +0000
commit: 26d465f0668a7a3e8949bf120ad5c39e4c94e02b (patch)
tree: fb964f4e2cf6a10f349ca5a4f0a06ad55e0e3836 /lib/libssl/src/ssl/t1_lib.c
parent: Put a limit on recursion during matching, and reject input of size greater (diff)
download: wireguard-openbsd-26d465f0668a7a3e8949bf120ad5c39e4c94e02b.tar.xz
wireguard-openbsd-26d465f0668a7a3e8949bf120ad5c39e4c94e02b.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c
index 833fc172de1..0baa70663aa 100644
--- a/lib/libssl/src/ssl/t1_lib.c
+++ b/lib/libssl/src/ssl/t1_lib.c
@@ -917,6 +917,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 						}
 					n2s(data, idsize);
 					dsize -= 2 + idsize;
+					size -= 2 + idsize;
 					if (dsize < 0)
 						{
 						*al = SSL_AD_DECODE_ERROR;
@@ -955,9 +956,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 					}
 
 				/* Read in request_extensions */
+				if (size < 2)
+					{
+					*al = SSL_AD_DECODE_ERROR;
+					return 0;
+					}
 				n2s(data,dsize);
 				size -= 2;
-				if (dsize > size) 
+				if (dsize != size)
 					{
 					*al = SSL_AD_DECODE_ERROR;
 					return 0;
author	djm <djm@openbsd.org>	2011-02-10 22:40:27 +0000
committer	djm <djm@openbsd.org>	2011-02-10 22:40:27 +0000
commit	26d465f0668a7a3e8949bf120ad5c39e4c94e02b (patch)
tree	fb964f4e2cf6a10f349ca5a4f0a06ad55e0e3836 /lib/libssl/src/ssl/t1_lib.c
parent	Put a limit on recursion during matching, and reject input of size greater (diff)
download	wireguard-openbsd-26d465f0668a7a3e8949bf120ad5c39e4c94e02b.tar.xz wireguard-openbsd-26d465f0668a7a3e8949bf120ad5c39e4c94e02b.zip