Alex Pankratov <[EMAIL PROTECTED]>:
> the following problem is present in 0.9.6 and 0.9.6c.
>
> It is possible to put server code into the internal infinite
> loop in ssl3_read_bytes() by sending the following data from
> the client right after establishing TCP connection:
>
> 01 03 01 00 01 00
[...]
> The problem is in the code that was supposed to ignore unknown TLS
> message types:
>
> switch (rr->type)
> {
> default:
> #ifndef NO_TLS
> /* TLS just ignores unknown message types */
> if (s->version == TLS1_VERSION)
> {
> goto start;
> }
> #endif
> ...
>
> The code passes control back to start without resetting 'rr' length,
[...]
Thanks for the report. This bug has already been fixed some time ago,
see the snapshots at <URL:ftp://ftp.openssl.org/snapshot;type=d>.
--
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
