The branch OpenSSL_1_1_0-stable has been updated via cdabf89acf65040560e0242cb70d945f3f3bdd5c (commit) from ae43c92a337db1756c42e4d9f53f0ab92b40c04f (commit)
- Log ----------------------------------------------------------------- commit cdabf89acf65040560e0242cb70d945f3f3bdd5c Author: Philippe Antoine <p.anto...@catenacyber.fr> Date: Mon Mar 26 10:23:51 2018 +0200 Adds multiple checks to avoid buffer over reads Reviewed-by: Rich Salz <rs...@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5686) ----------------------------------------------------------------------- Summary of changes: ssl/t1_trce.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 76bdf79..e5b4085 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -725,6 +725,8 @@ static int ssl_print_extensions(BIO *bio, int indent, int server, BIO_puts(bio, "No Extensions\n"); return 1; } + if (msglen < 2) + return 0; extslen = (msg[0] << 8) | msg[1]; if (extslen != msglen - 2) return 0; @@ -1092,6 +1094,8 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s, msglen -= xlen + 2; skip_sig: + if (msglen < 2) + return 0; xlen = (msg[0] << 8) | msg[1]; BIO_indent(bio, indent, 80); if (msglen < xlen + 2) @@ -1271,7 +1275,15 @@ void SSL_trace(int write_p, int version, int content_type, switch (content_type) { case SSL3_RT_HEADER: { - int hvers = msg[1] << 8 | msg[2]; + int hvers; + + /* avoid overlapping with length at the end of buffer */ + if (msglen < (SSL_IS_DTLS(ssl) ? 13 : 5)) { + BIO_puts(bio, write_p ? "Sent" : "Received"); + ssl_print_hex(bio, 0, " too short message", msg, msglen); + break; + } + hvers = msg[1] << 8 | msg[2]; BIO_puts(bio, write_p ? "Sent" : "Received"); BIO_printf(bio, " Record\nHeader:\n Version = %s (0x%x)\n", ssl_trace_str(hvers, ssl_version_tbl), hvers); _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits