|
 |
2b5643 |
diff -up openssl-1.0.1e/ssl/d1_both.c.heartbeat openssl-1.0.1e/ssl/d1_both.c
|
|
|
2b5643 |
--- openssl-1.0.1e/ssl/d1_both.c.heartbeat 2014-04-07 12:52:01.884308971 +0200
|
|
|
2b5643 |
+++ openssl-1.0.1e/ssl/d1_both.c 2014-04-07 13:04:32.860128295 +0200
|
|
|
2b5643 |
@@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s)
|
|
|
2b5643 |
unsigned int payload;
|
|
|
2b5643 |
unsigned int padding = 16; /* Use minimum padding */
|
|
|
2b5643 |
|
|
|
2b5643 |
- /* Read type and payload length first */
|
|
|
2b5643 |
- hbtype = *p++;
|
|
|
2b5643 |
- n2s(p, payload);
|
|
|
2b5643 |
- pl = p;
|
|
|
2b5643 |
-
|
|
|
2b5643 |
if (s->msg_callback)
|
|
|
2b5643 |
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
|
|
|
2b5643 |
&s->s3->rrec.data[0], s->s3->rrec.length,
|
|
|
2b5643 |
s, s->msg_callback_arg);
|
|
|
2b5643 |
|
|
|
2b5643 |
+ /* Read type and payload length first */
|
|
|
2b5643 |
+ if (1 + 2 + 16 > s->s3->rrec.length)
|
|
|
2b5643 |
+ return 0; /* silently discard */
|
|
|
2b5643 |
+ hbtype = *p++;
|
|
|
2b5643 |
+ n2s(p, payload);
|
|
|
2b5643 |
+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
|
|
|
2b5643 |
+ return 0; /* silently discard per RFC 6520 sec. 4 */
|
|
|
2b5643 |
+ pl = p;
|
|
|
2b5643 |
+
|
|
|
2b5643 |
if (hbtype == TLS1_HB_REQUEST)
|
|
|
2b5643 |
{
|
|
|
2b5643 |
unsigned char *buffer, *bp;
|
|
|
2b5643 |
+ unsigned int write_length = 1 /* heartbeat type */ +
|
|
|
2b5643 |
+ 2 /* heartbeat length */ +
|
|
|
2b5643 |
+ payload + padding;
|
|
|
2b5643 |
int r;
|
|
|
2b5643 |
|
|
|
2b5643 |
+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
|
|
|
2b5643 |
+ return 0;
|
|
|
2b5643 |
+
|
|
|
2b5643 |
/* Allocate memory for the response, size is 1 byte
|
|
|
2b5643 |
* message type, plus 2 bytes payload length, plus
|
|
|
2b5643 |
* payload, plus padding
|
|
|
2b5643 |
*/
|
|
|
2b5643 |
- buffer = OPENSSL_malloc(1 + 2 + payload + padding);
|
|
|
2b5643 |
+ buffer = OPENSSL_malloc(write_length);
|
|
|
2b5643 |
bp = buffer;
|
|
|
2b5643 |
|
|
|
2b5643 |
/* Enter response type, length and copy payload */
|
|
|
2b5643 |
@@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s)
|
|
|
2b5643 |
/* Random padding */
|
|
|
2b5643 |
RAND_pseudo_bytes(bp, padding);
|
|
|
2b5643 |
|
|
|
2b5643 |
- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
|
|
|
2b5643 |
+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
|
|
|
2b5643 |
|
|
|
2b5643 |
if (r >= 0 && s->msg_callback)
|
|
|
2b5643 |
s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
|
|
|
2b5643 |
- buffer, 3 + payload + padding,
|
|
|
2b5643 |
+ buffer, write_length,
|
|
|
2b5643 |
s, s->msg_callback_arg);
|
|
|
2b5643 |
|
|
|
2b5643 |
OPENSSL_free(buffer);
|
|
|
2b5643 |
diff -up openssl-1.0.1e/ssl/t1_lib.c.heartbeat openssl-1.0.1e/ssl/t1_lib.c
|
|
|
2b5643 |
--- openssl-1.0.1e/ssl/t1_lib.c.heartbeat 2014-04-07 12:52:01.891308997 +0200
|
|
|
2b5643 |
+++ openssl-1.0.1e/ssl/t1_lib.c 2014-04-07 12:57:45.063603587 +0200
|
|
|
2b5643 |
@@ -2463,16 +2463,20 @@ tls1_process_heartbeat(SSL *s)
|
|
|
2b5643 |
unsigned int payload;
|
|
|
2b5643 |
unsigned int padding = 16; /* Use minimum padding */
|
|
|
2b5643 |
|
|
|
2b5643 |
- /* Read type and payload length first */
|
|
|
2b5643 |
- hbtype = *p++;
|
|
|
2b5643 |
- n2s(p, payload);
|
|
|
2b5643 |
- pl = p;
|
|
|
2b5643 |
-
|
|
|
2b5643 |
if (s->msg_callback)
|
|
|
2b5643 |
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
|
|
|
2b5643 |
&s->s3->rrec.data[0], s->s3->rrec.length,
|
|
|
2b5643 |
s, s->msg_callback_arg);
|
|
|
2b5643 |
|
|
|
2b5643 |
+ /* Read type and payload length first */
|
|
|
2b5643 |
+ if (1 + 2 + 16 > s->s3->rrec.length)
|
|
|
2b5643 |
+ return 0; /* silently discard */
|
|
|
2b5643 |
+ hbtype = *p++;
|
|
|
2b5643 |
+ n2s(p, payload);
|
|
|
2b5643 |
+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
|
|
|
2b5643 |
+ return 0; /* silently discard per RFC 6520 sec. 4 */
|
|
|
2b5643 |
+ pl = p;
|
|
|
2b5643 |
+
|
|
|
2b5643 |
if (hbtype == TLS1_HB_REQUEST)
|
|
|
2b5643 |
{
|
|
|
2b5643 |
unsigned char *buffer, *bp;
|