Hello, Our UC-KLEE tool found an out-of-bounds read bug in ssl3_get_key_exchange (ssl/s3_clnt.c) affecting the latest git revision in the OpenSSL 1.0.1 branch (and probably others). The bug permits a carefully-crafted ServerKeyExchange message to cause 1 or 2 bytes to be read past the end of the packet buffer. The packet buffer tends to be over-allocated, so I don't think this is likely to trigger a segfault. It also doesn't appear to pose much of a threat to client-side confidentiality (as far as I can tell).
The out-of-bounds read is allowed due to improper bounds checking. The packet is read by the call to ssl_get_message() on line 1291, which returns the length of the packet. Depending on the choice of cipher, lines 1359 (PSK), 1401 (SRP), 1486 (RSA), or 1540 (EDH) then read the first two bytes from the buffer. This initial read may be out-of-bounds since the return value of ssl_get_message() is never checked prior to the read. There are subsequent bounds checks, but each of these is effectively 2 bytes "behind," so any of the subsequent reads may be out-of-bounds by up to 2 bytes. I believe the fix would be to add an initial check (except for the EECDH cipher) that rejects packets with n < 2, and then decrements n by 2. The read on line 1757 also appears to need a bounds check. Thanks, -David ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
