diff options
| author | Harin Vadodaria <harin.vadodaria@oracle.com> | 2012-12-13 10:19:14 +0530 |
|---|---|---|
| committer | Harin Vadodaria <harin.vadodaria@oracle.com> | 2012-12-13 10:19:14 +0530 |
| commit | b77d3b0ca5da906ec7845622b1a321fd55547c4b (patch) | |
| tree | 82b567e0c278179afa964f3b48a982d550c52ad8 /extra | |
| parent | fc2ad0afc3070ffa48c56cb3087d25284d53bc7a (diff) | |
| parent | 69689fa432aa1570ecda306bcc18609da4488838 (diff) | |
| download | mariadb-git-b77d3b0ca5da906ec7845622b1a321fd55547c4b.tar.gz | |
Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
DOPROCESSREPLY()
Description: Merge from 5.1 to 5.5
Diffstat (limited to 'extra')
| -rw-r--r-- | extra/yassl/src/handshake.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp index c1ee61d043e..c7dbaf86071 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl) while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) { // each message in record, can be more than 1 if not encrypted - if (ssl.getSecurity().get_parms().pending_ == false) // cipher on + if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on + // sanity check for malicious/corrupted/illegal input + if (buffer.get_remaining() < hdr.length_) { + ssl.SetError(bad_input); + return 0; + } decrypt_message(ssl, buffer, hdr.length_); + } mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_)); if (!msg.get()) { |