Add sanity check in ssl3_cbc_digest_record
authorMatt Caswell <matt@openssl.org>
Mon, 27 Apr 2015 14:41:42 +0000 (15:41 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 30 Apr 2015 22:26:07 +0000 (23:26 +0100)
commit592ac25342a7863f38a3b316b183e90596f528b1
treeb9e84a8e1d73324f1a5df2f6cbe092dbd389eaaa
parentd889682208e4e75bca78f862b8e509a5b61b01f6
Add sanity check in ssl3_cbc_digest_record

For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 29b0a15a480626544dd0c803d5de671552544de6)
ssl/s3_cbc.c