Hi,

On Wed, 2004-09-29 at 10:50, Leonard den Ottolander via RT wrote:
> Hello,
> 
> Going through Red Hat's 7.3 openssl-0.9.6b-35.7 openssl-0.9.6b-sec.patch
> I noticed that in openssl-engine-0.9.6m (& SNAP 2004-09-26) there is a
> hunk from this patch missing. Everything else has been merged, so I
> believe this to be an unintentional omission.
> 
> In RHL 7.3's openssl-0.9.6b-sec.patch there is this one hunk:
> 
> --- ./ssl/ssl_asn1.c.chats      Thu Apr  5 21:28:48 2001
> +++ ./ssl/ssl_asn1.c    Thu Jul 25 16:41:00 2002
> @@ -275,6 +276,7 @@
>                 os.length=i;
>  
>         ret->session_id_length=os.length;
> +       die(os.length <= sizeof ret->session_id);
>         memcpy(ret->session_id,os.data,os.length);
>  
>         M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
> 
> In 0.9.6m die() is usually substituted with a
> +       if (os.length > sizeof ret->session_id)
> +               {
> +               SSLerr(,);
> +               return -1;
> +               }
> block.
> 
> In 0.9.6m this check is missing and should be added:
> 
>         ret->session_id_length=os.length;
>         memcpy(ret->session_id,os.data,os.length);
> 
> It is there in 0.9.7d:
> 
>         ret->session_id_length=os.length;
>         OPENSSL_assert(os.length <= sizeof ret->session_id);
>         memcpy(ret->session_id,os.data,os.length);
> 
> The fact that there is an OPENSSL_assert in 0.9.7d makes me believe the
> hunk was dropped unintentionally in the 0.9.6 branch, and should be
> reintroduced.
> 
> The patch below reintroduces die(), and the declaration of OpenSSLDie().
> The definition of OpenSSLDie() is still in cryptlib.c. If you decide to
> use another construct instead of die() the definition of OpenSSLDie()
> should probably be removed.
> 
> Leonard.
> 
> P.S. The bug report page that is mentioned in the README
> (http://www.openssl.org/rt2.html) seems to no longer exist. Maybe the
> README can be updated?

Any progress on this issue?

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to