diff options
| author | Matt Caswell <matt@openssl.org> | 2021-03-18 17:52:10 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2021-03-25 10:48:08 +0100 |
| commit | 39a140597d874e554b736885ac4dea16ac40a87a (patch) | |
| tree | 4111ade117e62d5eb609109e6c47d7a866660046 /ssl/ssl_lib.c | |
| parent | ssl sigalg extension: fix NULL pointer dereference (diff) | |
| download | openssl-39a140597d874e554b736885ac4dea16ac40a87a.tar.xz openssl-39a140597d874e554b736885ac4dea16ac40a87a.zip | |
Ensure buffer/length pairs are always in sync
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Diffstat (limited to 'ssl/ssl_lib.c')
| -rw-r--r-- | ssl/ssl_lib.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 4cb40bd89b..57e8d15798 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -772,8 +772,10 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ecpointformats = OPENSSL_memdup(ctx->ext.ecpointformats, ctx->ext.ecpointformats_len); - if (!s->ext.ecpointformats) + if (!s->ext.ecpointformats) { + s->ext.ecpointformats_len = 0; goto err; + } s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } @@ -782,8 +784,10 @@ SSL *SSL_new(SSL_CTX *ctx) OPENSSL_memdup(ctx->ext.supportedgroups, ctx->ext.supportedgroups_len * sizeof(*ctx->ext.supportedgroups)); - if (!s->ext.supportedgroups) + if (!s->ext.supportedgroups) { + s->ext.supportedgroups_len = 0; goto err; + } s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } @@ -793,8 +797,10 @@ SSL *SSL_new(SSL_CTX *ctx) if (s->ctx->ext.alpn) { s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len); - if (s->ext.alpn == NULL) + if (s->ext.alpn == NULL) { + s->ext.alpn_len = 0; goto err; + } memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len); s->ext.alpn_len = s->ctx->ext.alpn_len; } @@ -2990,6 +2996,7 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, OPENSSL_free(ctx->ext.alpn); ctx->ext.alpn = OPENSSL_memdup(protos, protos_len); if (ctx->ext.alpn == NULL) { + ctx->ext.alpn_len = 0; ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 1; } @@ -3009,6 +3016,7 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, OPENSSL_free(ssl->ext.alpn); ssl->ext.alpn = OPENSSL_memdup(protos, protos_len); if (ssl->ext.alpn == NULL) { + ssl->ext.alpn_len = 0; ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); return 1; } |