out-of-bounds read in (unused) kerberos ciphersuites (CAN-2004-0112)

author: markus <markus@openbsd.org> 2004-03-17 14:22:02 +0000
committer: markus <markus@openbsd.org> 2004-03-17 14:22:02 +0000
commit: 2de26c68ed2fd2105e2b4d76f1dc02fd808b5220 (patch)
tree: 4ec1bc559f80814a9207945856e5648aa38c7a4d /lib/libssl/src
parent: fix a spacing issue found by deraadt@ and a separate typo from miod@; (diff)
download: wireguard-openbsd-2de26c68ed2fd2105e2b4d76f1dc02fd808b5220.tar.xz
wireguard-openbsd-2de26c68ed2fd2105e2b4d76f1dc02fd808b5220.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c
index 57f1d3f52a8..deb3cffabeb 100644
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -1588,11 +1588,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
 
 		n2s(p,i);
 		enc_ticket.length = i;
+
+		if (n < enc_ticket.length + 6)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+				SSL_R_DATA_LENGTH_TOO_LONG);
+			goto err;
+			}
+
 		enc_ticket.data = (char *)p;
 		p+=enc_ticket.length;
 
 		n2s(p,i);
 		authenticator.length = i;
+
+		if (n < enc_ticket.length + authenticator.length + 6)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+				SSL_R_DATA_LENGTH_TOO_LONG);
+			goto err;
+			}
+
 		authenticator.data = (char *)p;
 		p+=authenticator.length;
author	markus <markus@openbsd.org>	2004-03-17 14:22:02 +0000
committer	markus <markus@openbsd.org>	2004-03-17 14:22:02 +0000
commit	2de26c68ed2fd2105e2b4d76f1dc02fd808b5220 (patch)
tree	4ec1bc559f80814a9207945856e5648aa38c7a4d /lib/libssl/src
parent	fix a spacing issue found by deraadt@ and a separate typo from miod@; (diff)
download	wireguard-openbsd-2de26c68ed2fd2105e2b4d76f1dc02fd808b5220.tar.xz wireguard-openbsd-2de26c68ed2fd2105e2b4d76f1dc02fd808b5220.zip