From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001

From: Gabor Tyukasz <Gabor.Tyukasz@logmein.com>

Date: Wed, 23 Jul 2014 23:42:06 +0200

Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext

CVE-2014-3509

Reviewed-by: Tim Hudson <tjh@openssl.org>

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

---

 ssl/t1_lib.c | 17 ++++++++++-------

 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 8167a51..022a4fb 100644

--- a/ssl/t1_lib.c

+++ b/ssl/t1_lib.c

@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in

 				*al = TLS1_AD_DECODE_ERROR;

 				return 0;

 				}

-			s->session->tlsext_ecpointformatlist_length = 0;

-			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);

-			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)

+			if (!s->hit)

 				{

-				*al = TLS1_AD_INTERNAL_ERROR;

-				return 0;

+				s->session->tlsext_ecpointformatlist_length = 0;

+				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);

+				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)

+					{

+					*al = TLS1_AD_INTERNAL_ERROR;

+					return 0;

+					}

+				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

+				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

 				}

-			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

-			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

 #if 0

 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");

 			sdata = s->session->tlsext_ecpointformatlist;

-- 

1.8.3.1