Missing bounds check in ssl3_get_certificate_request(), was not spotted in

1.78; reported by Ilja Van Sprundel.
author: miod <miod@openbsd.org> 2014-07-17 11:32:21 +0000
committer: miod <miod@openbsd.org> 2014-07-17 11:32:21 +0000
commit: 6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5 (patch)
tree: 9619850b4279510b528faae04e1ed9347af27a4b /lib/libssl/src/ssl
parent: Fix typo in example httpd config which caused error on startup. (diff)
download: wireguard-openbsd-6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5.tar.xz
wireguard-openbsd-6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c
index b55b2e62c6a..8dbeb5ce800 100644
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.83 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.84 2014/07/17 11:32:21 miod Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1678,6 +1678,11 @@ ssl3_get_certificate_request(SSL *s)
 	}
 
 	for (nc = 0; nc < llen; ) {
+		if (p + 2 - d > n) {
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
+			    SSL_R_DATA_LENGTH_TOO_LONG);
+			goto err;
+		}
 		n2s(p, l);
 		if ((l + nc + 2) > llen) {
 			if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
author	miod <miod@openbsd.org>	2014-07-17 11:32:21 +0000
committer	miod <miod@openbsd.org>	2014-07-17 11:32:21 +0000
commit	6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5 (patch)
tree	9619850b4279510b528faae04e1ed9347af27a4b /lib/libssl/src/ssl
parent	Fix typo in example httpd config which caused error on startup. (diff)
download	wireguard-openbsd-6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5.tar.xz wireguard-openbsd-6198ba19cd2e5fb9452d6daa7917ca98bb6c21d5.zip