fix CVE-2010-3864
This commit is contained in:
Dr. Stephen Henson
parent
3e8b8b8990
commit
2ae47ddbc2
3 changed files with 23 additions and 4 deletions
5
CHANGES
5
CHANGES
|
|
@ -4,6 +4,11 @@
|
|||
|
||||
Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
|
||||
|
||||
*) Fix extension code to avoid race conditions which can result in a buffer
|
||||
overrun vulnerability: resumed sessions must not be modified as they can
|
||||
be shared by multiple threads. CVE-2010-3864
|
||||
[Steve Henson]
|
||||
|
||||
*) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
|
||||
[Steve Henson]
|
||||
|
||||
|
|
|
|||
4
NEWS
4
NEWS
|
|
@ -5,6 +5,10 @@
|
|||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
|
||||
|
||||
o Fix for security issue CVE-2010-3864.
|
||||
|
||||
Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
|
||||
|
||||
o Fix for security issue CVE-2010-0742.
|
||||
|
|
|
|||
18
ssl/t1_lib.c
18
ssl/t1_lib.c
|
|
@ -432,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|||
switch (servname_type)
|
||||
{
|
||||
case TLSEXT_NAMETYPE_host_name:
|
||||
if (s->session->tlsext_hostname == NULL)
|
||||
if (!s->hit)
|
||||
{
|
||||
if (len > TLSEXT_MAXLEN_host_name ||
|
||||
((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
|
||||
if(s->session->tlsext_hostname)
|
||||
{
|
||||
*al = SSL_AD_DECODE_ERROR;
|
||||
return 0;
|
||||
}
|
||||
if (len > TLSEXT_MAXLEN_host_name)
|
||||
{
|
||||
*al = TLS1_AD_UNRECOGNIZED_NAME;
|
||||
return 0;
|
||||
}
|
||||
if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
|
||||
{
|
||||
*al = TLS1_AD_INTERNAL_ERROR;
|
||||
return 0;
|
||||
}
|
||||
memcpy(s->session->tlsext_hostname, sdata, len);
|
||||
s->session->tlsext_hostname[len]='\0';
|
||||
if (strlen(s->session->tlsext_hostname) != len) {
|
||||
|
|
@ -452,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|||
|
||||
}
|
||||
else
|
||||
s->servername_done = strlen(s->session->tlsext_hostname) == len
|
||||
s->servername_done = s->session->tlsext_hostname
|
||||
&& strlen(s->session->tlsext_hostname) == len
|
||||
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
|
||||
|
||||
break;
|
||||
|
|
|
|||
Loading…
Reference in a new issue