Add sanity check in ssl3_cbc_digest_record
authorMatt Caswell <matt@openssl.org>
Mon, 27 Apr 2015 14:41:42 +0000 (15:41 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 30 Apr 2015 22:12:39 +0000 (23:12 +0100)
commit29b0a15a480626544dd0c803d5de671552544de6
tree9c7e16ba05be95f6df9fe96c0700b77c310267de
parent9d9e37744cd5119f9921315864d1cd28717173cd
Add sanity check in ssl3_cbc_digest_record

For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
ssl/s3_cbc.c