LogoopenSUSE Build Service > Projects
Sign Up | Log In

View File openssl-CVE-2006-4343.patch of Package compat-openssl097g (Project openSUSE:11.4)

Tavis Ormandy and Will Drewry of the Google Security Team discovered a 
possible DoS in the sslv2 client code.  Where a client application uses 
OpenSSL to make a SSLv2 connection to a malicious server that server 
could cause the client to crash.  CVE-2006-4343

--- ssl/s2_clnt.c	2005-08-06 00:52:07.000000000 +0100
+++ ssl/s2_clnt.c	2006-08-28 19:14:59.398605000 +0100
@@ -520,7 +520,8 @@ static int get_server_hello(SSL *s)
 		CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
 		}
 
-	if (s->session->peer != s->session->sess_cert->peer_key->x509)
+	if (s->session->sess_cert == NULL 
+      || s->session->peer != s->session->sess_cert->peer_key->x509)
 		/* can't happen */
 		{
 		ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);