Module Name: src Committed By: riz Date: Tue May 22 18:44:46 UTC 2012
Modified Files: src/crypto/external/bsd/openssl/dist/ssl [netbsd-6]: d1_enc.c t1_enc.c Log Message: Pull up following revision(s) (requested by drochner in ticket #276): crypto/external/bsd/openssl/dist/ssl/t1_enc.c: revision 1.4 crypto/external/bsd/openssl/dist/ssl/d1_enc.c: revision 1.2 pull in upstream rev.22547: Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and DTLS to fix DoS attack. (CVE-2012-2333) To generate a diff of this commit: cvs rdiff -u -r1.1.1.3 -r1.1.1.3.4.1 \ src/crypto/external/bsd/openssl/dist/ssl/d1_enc.c cvs rdiff -u -r1.3 -r1.3.4.1 \ src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/ssl/d1_enc.c diff -u src/crypto/external/bsd/openssl/dist/ssl/d1_enc.c:1.1.1.3 src/crypto/external/bsd/openssl/dist/ssl/d1_enc.c:1.1.1.3.4.1 --- src/crypto/external/bsd/openssl/dist/ssl/d1_enc.c:1.1.1.3 Sun Jun 5 15:00:31 2011 +++ src/crypto/external/bsd/openssl/dist/ssl/d1_enc.c Tue May 22 18:44:46 2012 @@ -260,7 +260,7 @@ int dtls1_enc(SSL *s, int send) } /* TLS 1.0 does not bound the number of padding bytes by the block size. * All of them must have value 'padding_length'. */ - if (i > (int)rec->length) + if (i + bs > (int)rec->length) { /* Incorrect padding. SSLerr() and ssl3_alert are done * by caller: we don't want to reveal whether this is Index: src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.3 src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.3.4.1 --- src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.3 Sun Jun 5 23:09:49 2011 +++ src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Tue May 22 18:44:46 2012 @@ -823,6 +823,8 @@ int tls1_enc(SSL *s, int send) if (s->version >= TLS1_1_VERSION && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { + if (bs > (int)rec->length) + return -1; rec->data += bs; /* skip the explicit IV */ rec->input += bs; rec->length -= bs;