Overview

File openssl-CVE-2016-6306.patch of Package openssl.4105

commit 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9
Author: Dr. Stephen Henson <steve@openssl.org>
Date:   Sat Sep 17 12:36:58 2016 +0100

    Fix small OOB reads.
    
    In ssl3_get_client_certificate, ssl3_get_server_certificate and
    ssl3_get_certificate_request check we have enough room
    before reading a length.
    
    Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
    
    CVE-2016-6306
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    (cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)

Index: openssl-1.0.1i/ssl/s3_clnt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_clnt.c	2016-09-22 14:31:45.461807190 +0200
+++ openssl-1.0.1i/ssl/s3_clnt.c	2016-09-22 14:34:09.320045549 +0200
@@ -1136,6 +1136,12 @@ int ssl3_get_server_certificate(SSL *s)
 		}
 	for (nc=0; nc<llen; )
 		{
+        	if (nc + 3 > llen) {
+            		al = SSL_AD_DECODE_ERROR;
+            		SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+                   		SSL_R_CERT_LENGTH_MISMATCH);
+            		goto f_err;
+        	}
 		n2l3(p,l);
 		if ((l+nc+3) > llen)
 			{
@@ -1993,6 +1999,11 @@ fclose(out);
 
 	for (nc=0; nc<llen; )
 		{
+        	if (nc + 2 > llen) {
+            		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+            		SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
+            		goto err;
+        	}
 		n2s(p,l);
 		if ((l+nc+2) > llen)
 			{
openSUSE Build Service is sponsored by
Places