1 files changed, 23 insertions, 6 deletions

diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
index 25e00d45d2b..5d5632f3ba4 100644
--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
@@ -242,6 +242,7 @@ void EncryptedPreMasterSecret::read(SSL& ssl, input_buffer& input)
     }
 
     opaque preMasterSecret[SECRET_LEN];
+    memset(preMasterSecret, 0, sizeof(preMasterSecret));
     rsa.decrypt(preMasterSecret, secret_, length_, 
                 ssl.getCrypto().get_random());
 
@@ -300,6 +301,11 @@ void ClientDiffieHellmanPublic::read(SSL& ssl, input_buffer& input)
     tmp[1] = input[AUTO];
     ato16(tmp, keyLength);
 
+    if (keyLength < dh.get_agreedKeyLength()/2) {
+        ssl.SetError(bad_input);
+        return;
+    }
+
     alloc(keyLength);
     input.read(Yc_, keyLength);
     if (input.get_error()) {
@@ -408,6 +414,10 @@ void DH_Server::read(SSL& ssl, input_buffer& input)
     tmp[1] = input[AUTO];
     ato16(tmp, length);
 
+    if (length == 0) {
+        ssl.SetError(bad_input);
+        return;
+    }
     signature_ = NEW_YS byte[length];
     input.read(signature_, length);
     if (input.get_error()) {
@@ -864,6 +874,12 @@ void ChangeCipherSpec::Process(input_buffer& input, SSL& ssl)
         return;
     }
 
+    // detect duplicate change_cipher
+    if (ssl.getSecurity().get_parms().pending_ == false) {
+        ssl.order_error();
+        return;
+    }
+
     ssl.useSecurity().use_parms().pending_ = false;
     if (ssl.getSecurity().get_resuming()) {
         if (ssl.getSecurity().get_parms().entity_ == client_end)
@@ -2047,12 +2063,8 @@ input_buffer& operator>>(input_buffer& input, CertificateRequest& request)
         tmp[0] = input[AUTO];
         tmp[1] = input[AUTO];
         ato16(tmp, dnSz);
-        
-        DistinguishedName dn;
-        request.certificate_authorities_.push_back(dn = NEW_YS 
-                                                  byte[REQUEST_HEADER + dnSz]);
-        memcpy(dn, tmp, REQUEST_HEADER);
-        input.read(&dn[REQUEST_HEADER], dnSz);
+       
+        input.set_current(input.get_current() + dnSz);
 
         sz -= dnSz + REQUEST_HEADER;
 
@@ -2191,6 +2203,11 @@ input_buffer& operator>>(input_buffer& input, CertificateVerify& request)
     ato16(tmp, sz);
     request.set_length(sz);
 
+    if (sz == 0) {
+        input.set_error();
+        return input;
+    }
+
     request.signature_ = NEW_YS byte[sz];
     input.read(request.signature_, sz);