rpms / openssl

Clone
Source Code
GIT

Files

  1.   a023338b5c24846a4ee15b47500ad1aeb4c67fc9
  2.   SOURCES
  3.   openssl-1.0.1e-cve-2016-6306.patch
Blob Blame History Raw 
diff -up openssl-1.0.1e/ssl/d1_both.c.certmsg-len openssl-1.0.1e/ssl/d1_both.c
--- openssl-1.0.1e/ssl/d1_both.c.certmsg-len	2016-09-20 16:12:01.000000000 +0200
+++ openssl-1.0.1e/ssl/d1_both.c	2016-09-22 11:02:54.277707284 +0200
@@ -506,8 +506,11 @@ static int dtls1_preprocess_fragment(SSL
 	if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
 		{
 		/* msg_len is limited to 2^24, but is effectively checked
-		 * against max above */
-		if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH))
+		 * against max above
+		 *
+		 * Make buffer slightly larger than message length as
+		 * a precaution against small OOB reads e.g. CVE-2016-6306 */
+		if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH+16))
 			{
 			SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB);
 			return SSL_AD_INTERNAL_ERROR;
diff -up openssl-1.0.1e/ssl/s3_both.c.certmsg-len openssl-1.0.1e/ssl/s3_both.c
--- openssl-1.0.1e/ssl/s3_both.c.certmsg-len	2016-09-20 14:55:57.000000000 +0200
+++ openssl-1.0.1e/ssl/s3_both.c	2016-09-22 11:06:00.945725379 +0200
@@ -518,7 +518,11 @@ long ssl3_get_message(SSL *s, int st1, i
 			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
 			goto f_err;
 			}
-		if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
+		/*
+		 * Make buffer slightly larger than message length as a precaution
+		 * against small OOB reads e.g. CVE-2016-6306
+		 */
+		if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4+16))
 			{
 			SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
 			goto err;
diff -up openssl-1.0.1e/ssl/s3_clnt.c.certmsg-len openssl-1.0.1e/ssl/s3_clnt.c
--- openssl-1.0.1e/ssl/s3_clnt.c.certmsg-len	2016-09-20 14:55:57.000000000 +0200
+++ openssl-1.0.1e/ssl/s3_clnt.c	2016-09-20 18:27:22.683077436 +0200
@@ -1128,6 +1128,12 @@ int ssl3_get_server_certificate(SSL *s)
 		}
 	for (nc=0; nc<llen; )
 		{
+		if (nc+3 > llen)
+			{
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
+			goto f_err;
+			}
 		n2l3(p,l);
 		if ((l+nc+3) > llen)
 			{
@@ -1979,6 +1985,12 @@ fclose(out);
 
 	for (nc=0; nc<llen; )
 		{
+		if (nc+2 > llen)
+			{
+			ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+			SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
+			goto err;
+			}
 		n2s(p,l);
 		if ((l+nc+2) > llen)
 			{
diff -up openssl-1.0.1e/ssl/s3_srvr.c.certmsg-len openssl-1.0.1e/ssl/s3_srvr.c
--- openssl-1.0.1e/ssl/s3_srvr.c.certmsg-len	2016-09-20 15:14:11.000000000 +0200
+++ openssl-1.0.1e/ssl/s3_srvr.c	2016-09-20 18:29:26.167950476 +0200
@@ -3269,6 +3269,12 @@ int ssl3_get_client_certificate(SSL *s)
 		}
 	for (nc=0; nc<llen; )
 		{
+		if (nc+3 > llen)
+			{
+			al = SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
+			goto f_err;
+			}
 		n2l3(p,l);
 		if ((l+nc+3) > llen)
 			{

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation