Hello,
I have been looking at the OpenSSL source code, and this jumped out as a
possible error. 'n¹ is an unsigned before it is passed into ssl3_read_n,
which causes the worry of an overflow. To prevent this, I added check that
just makes sure that n is not less than zero, which wouldn't make sense
anyway. This is my first time posting a change for OpenSSL, so please
forgive any formatting errors.
Thanks,
Ben Chaney
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 8fc3bb4..1d0bc6a 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -224,7 +224,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
rb->offset = len + align;
}
- if (n > (int)(rb->len - rb->offset)) /* does not happen */
+ if ( (n > (int)(rb->len - rb->offset)) || (n < 0) ) /* does not
happen */
{
SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
return -1;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
