On Thu, Jul 10, 2014 at 11:26:46AM +0200, Chaney, Benjamin via RT wrote:
> Hello,
> I have been looking at the OpenSSL source code, and this jumped out as a
> possible error. 'n?? is an unsigned before it is passed into ssl3_read_n,
> which causes the worry of an overflow. To prevent this, I added check that
> just makes sure that n is not less than zero, which wouldn't make sense
> anyway. This is my first time posting a change for OpenSSL, so please
> forgive any formatting errors.
n is signed:
139 int ssl3_read_n(SSL *s, int n, int max, int extend)
and the checks
153 if (n <= 0) return n;
and
200 if (left > 0 && n > left)
201 n = left;
make sure n > 0 already.
-Otto
> Thanks,
> Ben Chaney
>
>
> diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
> index 8fc3bb4..1d0bc6a 100644
> --- a/ssl/s3_pkt.c
> +++ b/ssl/s3_pkt.c
> @@ -224,7 +224,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
> rb->offset = len + align;
> }
>
> - if (n > (int)(rb->len - rb->offset)) /* does not happen */
> + if ( (n > (int)(rb->len - rb->offset)) || (n < 0) ) /* does not
> happen */
> {
> SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
> return -1;
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
