From 2ae47ddbc27505652b855449b23d80614c864329 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 16 Nov 2010 14:26:18 +0000 Subject: [PATCH] fix CVE-2010-3864 --- CHANGES | 5 +++++ NEWS | 4 ++++ ssl/t1_lib.c | 18 ++++++++++++++---- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 23f145ca36..1b5db78d35 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + [Steve Henson] + *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 [Steve Henson] diff --git a/NEWS b/NEWS index 857fb94945..65f4ef2050 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p: + + o Fix for security issue CVE-2010-3864. + Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o: o Fix for security issue CVE-2010-0742. diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d61c08c8ef..0cc8320e17 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -432,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - if (len > TLSEXT_MAXLEN_host_name || - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { @@ -452,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } else - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break;