QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 11:14:36 +00:00
Code Issues Projects Releases Wiki Activity

Fix a hang with SSL_peek()

Browse Source 
If while calling SSL_peek() we read an empty record then we go into an
infinite loop, continually trying to read data from the empty record and
never making any progress. This could be exploited by a malicious peer in
a Denial Of Service attack.

CVE-2016-6305

GitHub Issue #1563

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Matt Caswell 2016-09-10 21:24:40 +01:00
parent c31dbed70c
commit b8d2439562
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/record/rec_layer_s3.c
View File

@ -1133,7 +1133,11 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
memcpy(buf, &(rr->data[rr->off]), n); memcpy(buf, &(rr->data[rr->off]), n);
buf += n; buf += n;
if (!peek) { if (peek) {
/* Mark any zero length record as consumed CVE-2016-6305 */
if (SSL3_RECORD_get_length(rr) == 0)
SSL3_RECORD_set_read(rr);
} else {
SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_sub_length(rr, n);
SSL3_RECORD_add_off(rr, n); SSL3_RECORD_add_off(rr, n);
if (SSL3_RECORD_get_length(rr) == 0) { if (SSL3_RECORD_get_length(rr) == 0) {