From: Gabor Tyukasz <Gabor.Tyukasz@logmein.com>
Date: Wed, 23 Jul 2014 21:42:06 +0000 (+0200)
Subject: Fix race condition in ssl_parse_serverhello_tlsext
X-Git-Tag: OpenSSL_1_0_0n~3
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=03a12c1330575398cbdbd301b923af65bb7f4466;p=oweals%2Fopenssl.git

Fix race condition in ssl_parse_serverhello_tlsext

CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b4d8ea5d52..60c7d8bca9 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1154,15 +1154,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 				}
-			s->session->tlsext_ecpointformatlist_length = 0;
-			if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-			if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+			if (!s->hit)
 				{
-				*al = TLS1_AD_INTERNAL_ERROR;
-				return 0;
+				s->session->tlsext_ecpointformatlist_length = 0;
+				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
+				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+					{
+					*al = TLS1_AD_INTERNAL_ERROR;
+					return 0;
+					}
+				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 				}
-			s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-			memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 #if 0
 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
 			sdata = s->session->tlsext_ecpointformatlist;