The fix for CVE-2012-2110 did not take into account that the

'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.

Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.

diff --git a/CHANGES b/CHANGES
index 56d204e9ba3c351bc91b88af0896a5f87d441c3c..2038f9d49a57803426607eca2a32258297fc44da 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,11 @@
 
  Changes between 0.9.8v and 0.9.8w [xx XXX xxxx]
 
-  *)
+  *) The fix for CVE-2012-2110 did not take into account that the 
+     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
+     rejecting negative len parameter. (CVE-2012-2131)
+     [Tomas Hoger <thoger@redhat.com>]
 
  Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
 

diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c
index 1f09cba061d7d0a2edebb9f50d15dcb4f3922fa1..3b4c79f7048ce2c10df3e305fe1c9c52af4119d1 100644 (file)
--- a/crypto/buffer/buffer.c
+++ b/crypto/buffer/buffer.c
@@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
        char *ret;
        unsigned int n;
 
+       if (len < 0)
+               {
+               BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
        if (str->length >= len)
                {
                str->length=len;
@@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
        char *ret;
        unsigned int n;
 
+       if (len < 0)
+               {
+               BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
        if (str->length >= len)
                {
                memset(&str->data[len],0,str->length-len);