QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-05-09 16:09:47 +00:00
Code Issues Projects Releases Wiki Activity

Don't use OPENSSL_strdup() for copying alpn_selected

Browse Source 
An alpn_selected value containing NUL bytes in it will result in
ext.alpn_selected_len having a larger value than the number of bytes
allocated in ext.alpn_selected.

Issue found by OSS-fuzz.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6507)
This commit is contained in:
Matt Caswell 2018-06-18 11:30:21 +01:00
parent 4f1b96f9fc
commit 27232cc338
2 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssl/ssl_asn1.c
View File

@ -328,7 +328,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
ret->ext.tick_lifetime_hint = (unsigned long)as->tlsext_tick_lifetime_hint; ret->ext.tick_lifetime_hint = (unsigned long)as->tlsext_tick_lifetime_hint;
ret->ext.tick_age_add = as->tlsext_tick_age_add; ret->ext.tick_age_add = as->tlsext_tick_age_add;
if (as->tlsext_tick) { OPENSSL_free(ret->ext.tick);
if (as->tlsext_tick != NULL) {
ret->ext.tick = as->tlsext_tick->data; ret->ext.tick = as->tlsext_tick->data;
ret->ext.ticklen = as->tlsext_tick->length; ret->ext.ticklen = as->tlsext_tick->length;
as->tlsext_tick->data = NULL; as->tlsext_tick->data = NULL;
@ -355,11 +356,11 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
ret->flags = (int32_t)as->flags; ret->flags = (int32_t)as->flags;
ret->ext.max_early_data = as->max_early_data; ret->ext.max_early_data = as->max_early_data;
OPENSSL_free(ret->ext.alpn_selected);
if (as->alpn_selected != NULL) { if (as->alpn_selected != NULL) {
if (!ssl_session_strndup((char **)&ret->ext.alpn_selected, ret->ext.alpn_selected = as->alpn_selected->data;
as->alpn_selected))
goto err;
ret->ext.alpn_selected_len = as->alpn_selected->length; ret->ext.alpn_selected_len = as->alpn_selected->length;
as->alpn_selected->data = NULL;
} else { } else {
ret->ext.alpn_selected = NULL; ret->ext.alpn_selected = NULL;
ret->ext.alpn_selected_len = 0; ret->ext.alpn_selected_len = 0;
@ -367,6 +368,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
ret->ext.max_fragment_len_mode = as->tlsext_max_fragment_len_mode; ret->ext.max_fragment_len_mode = as->tlsext_max_fragment_len_mode;
OPENSSL_free(ret->ticket_appdata);
if (as->ticket_appdata != NULL) { if (as->ticket_appdata != NULL) {
ret->ticket_appdata = as->ticket_appdata->data; ret->ticket_appdata = as->ticket_appdata->data;
ret->ticket_appdata_len = as->ticket_appdata->length; ret->ticket_appdata_len = as->ticket_appdata->length;

8
ssl/ssl_sess.c
View File

@ -220,14 +220,12 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
dest->ext.ticklen = 0; dest->ext.ticklen = 0;
} }
if (src->ext.alpn_selected) { if (src->ext.alpn_selected != NULL) {
dest->ext.alpn_selected = dest->ext.alpn_selected = OPENSSL_memdup(src->ext.alpn_selected,
(unsigned char*)OPENSSL_strndup((char*)src->ext.alpn_selected,
src->ext.alpn_selected_len); src->ext.alpn_selected_len);
if (dest->ext.alpn_selected == NULL) { if (dest->ext.alpn_selected == NULL)
goto err; goto err;
} }
}
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
if (src->srp_username) { if (src->srp_username) {