diff options
| author | jpierre%netscape.com <devnull@localhost> | 2004-06-30 03:42:46 +0000 |
|---|---|---|
| committer | jpierre%netscape.com <devnull@localhost> | 2004-06-30 03:42:46 +0000 |
| commit | 595089f63892c4f06aa0a222997863d11c1c75d4 (patch) | |
| tree | 33438c5fcc87228da14f4cf8008a3916b8449df9 | |
| parent | 11e18adfc3831eccf6c1f4ae20a65ca1b3d56b2f (diff) | |
| download | nss-hg-595089f63892c4f06aa0a222997863d11c1c75d4.tar.gz | |
Fix for bugtraq 5069683. r=ian
| -rw-r--r-- | security/nss/lib/ssl/sslcon.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index 09f390fa8..53575bf68 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -2545,7 +2545,7 @@ ssl2_HandleMessage(sslSocket *ss) case SSL_MT_REQUEST_CERTIFICATE: len = gs->recordLen - 2; - if ((len != SSL_MIN_CHALLENGE_BYTES) || + if ((len < SSL_MIN_CHALLENGE_BYTES) || (len > SSL_MAX_CHALLENGE_BYTES)) { /* Bad challenge */ SSL_DBG(("%d: SSL[%d]: bad cert request message: code len=%d", @@ -2589,6 +2589,11 @@ ssl2_HandleMessage(sslSocket *ss) PORT_SetError(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE); goto loser; } + if (certLen + responseLen + SSL_HL_CLIENT_CERTIFICATE_HBYTES + > ss->gather->recordLen) { + /* prevent overflow crash. */ + rv = SECFailure; + } else rv = ssl2_HandleClientCertificate(ss, data[1], data + SSL_HL_CLIENT_CERTIFICATE_HBYTES, certLen, @@ -2791,8 +2796,22 @@ ssl2_HandleServerHelloMessage(sslSocket *ss) } } - /* Save connection-id for later */ - PORT_Memcpy(ci->connectionID, cs + csLen, sizeof(ci->connectionID)); + if ((SSL_HL_SERVER_HELLO_HBYTES + certLen + csLen + cidLen + > ss->gather->recordLen) + || (csLen % 3) != 0 + /* || cidLen < SSL_CONNECTIONID_BYTES || cidLen > 32 */ + ) { + goto bad_server; + } + + /* Save connection-id. + ** This code only saves the first 16 byte of the connectionID. + ** If the connectionID is shorter than 16 bytes, it is zero-padded. + */ + if (cidLen < sizeof ci->connectionID) + memset(ci->connectionID, 0, sizeof ci->connectionID); + cidLen = PR_MIN(cidLen, sizeof ci->connectionID); + PORT_Memcpy(ci->connectionID, cs + csLen, cidLen); /* See if session-id hit */ needed = CIS_HAVE_MASTER_KEY | CIS_HAVE_FINISHED | CIS_HAVE_VERIFY; @@ -3480,7 +3499,11 @@ ssl2_HandleClientHelloMessage(sslSocket *ss) challenge = sd + sdLen; PRINT_BUF(7, (ss, "server, client session-id value:", sd, sdLen)); - if ((unsigned)gs->recordLen != + if (!csLen || (csLen % 3) != 0 || + (sdLen != 0 && sdLen != SSL_SESSIONID_BYTES) || + challengeLen < SSL_MIN_CHALLENGE_BYTES || + challengeLen > SSL_MAX_CHALLENGE_BYTES || + (unsigned)ss->gather->recordLen != SSL_HL_CLIENT_HELLO_HBYTES + csLen + sdLen + challengeLen) { SSL_DBG(("%d: SSL[%d]: bad client hello message, len=%d should=%d", SSL_GETPID(), ss->fd, gs->recordLen, |