Attached patch fixes out-of-bound reads or r[4].
Thanks
--- ssl/s3_srvr.c.old 2013-08-20 11:34:59.000000000 -0700
+++ ssl/s3_srvr.c 2013-08-20 11:34:59.000000000 -0700
@@ -1838,7 +1838,7 @@
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
goto f_err;
}
- for (i=0; r[i] != NULL && i<4; i++)
+ for (i=0; i<4 && r[i] != NULL; i++)
{
nr[i]=BN_num_bytes(r[i]);
#ifndef OPENSSL_NO_SRP
@@ -1874,7 +1874,7 @@
d=(unsigned char *)s->init_buf->data;
p= &(d[4]);
- for (i=0; r[i] != NULL && i<4; i++)
+ for (i=0; i<4 && r[i] != NULL; i++)
{
#ifndef OPENSSL_NO_SRP
if ((i == 2) && (type & SSL_kSRP))
