On Mon, Dec 18, 2000 at 01:34:37AM -0800, Eric Day wrote:
> I came across this bug while i found our SSL server was coring a few times a
> day. I used dmalloc (www.dmalloc.com) to help trace it down to a client
> using MSIE with SSLv3 off and using SSLv2. I have not tried but i assume
> any SSLv2 client will cause the same results. It comes down to calculating
> a wrong buffer size and overwriting a buffer limit. Here are the details:
[...]
Thanks a lot for reporting this. The fix:
Index: s2_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/s2_lib.c,v
retrieving revision 1.29
diff -u -u -r1.29 s2_lib.c
--- s2_lib.c 2000/06/21 02:25:28 1.29
+++ s2_lib.c 2000/12/18 11:06:23
@@ -272,8 +272,10 @@
if ((s2->rbuf=OPENSSL_malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ /* wbuf needs one byte more because when using two-byte headers,
+ * we leave the first byte unused in do_ssl_write (s2_pkt.c) */
if ((s2->wbuf=OPENSSL_malloc(
- SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
s->s2=s2;
ssl2_clear(s);
--
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
