Fix ssl_get_prev_session overrun

If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad) Conflicts: ssl/ssl_sess.c
author: Matt Caswell <matt@openssl.org> 2015-04-10 16:49:33 +0100
committer: Matt Caswell <matt@openssl.org> 2015-04-14 15:02:44 +0100
commit: 5d28381ae44725254e92bab9797593c6d3fa1e86 (patch)
tree: 29dada7f44a9649209cf2b358199876fda46ea3c
parent: eeda966123e96e890ad56bfcaaec82d07b36e26a (diff)
download: openssl-new-5d28381ae44725254e92bab9797593c6d3fa1e86.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 9c797e3ed6..fc312968f8 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -310,6 +310,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 
     if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
         goto err;
+
+    if (session_id + len > limit) {
+        fatal = 1;
+        goto err;
+    }
+
 #ifndef OPENSSL_NO_TLSEXT
     r = tls1_process_ticket(s, session_id, len, limit, &ret);
     if (r == -1) {
author	Matt Caswell <matt@openssl.org>	2015-04-10 16:49:33 +0100
committer	Matt Caswell <matt@openssl.org>	2015-04-14 15:02:44 +0100
commit	5d28381ae44725254e92bab9797593c6d3fa1e86 (patch)
tree	29dada7f44a9649209cf2b358199876fda46ea3c
parent	eeda966123e96e890ad56bfcaaec82d07b36e26a (diff)
download	openssl-new-5d28381ae44725254e92bab9797593c6d3fa1e86.tar.gz