From: Matt Caswell Date: Mon, 31 Oct 2016 12:47:20 +0000 (+0000) Subject: Handle compression methods correctly with SSLv2 compat ClientHello X-Git-Tag: OpenSSL_1_1_1-pre1~3156 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=4bfe1432c8d82ffaa99c01085da0520b6090567d;p=oweals%2Fopenssl.git Handle compression methods correctly with SSLv2 compat ClientHello In the case of an SSLv2 compat ClientHello we weren't setting up the compression methods correctly, which could lead to uninit reads or crashes. Reviewed-by: Kurt Roeckx Reviewed-by: Rich Salz --- diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 9911e3ccde..c7841ac48e 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1039,10 +1039,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - if (!PACKET_get_length_prefixed_1(pkt, &compression) - || !PACKET_copy_all(&compression, clienthello.compressions, - MAX_COMPRESSIONS_SIZE, - &clienthello.compressions_len)) { + if (!PACKET_get_length_prefixed_1(pkt, &compression)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1060,9 +1057,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (!PACKET_copy_all(&session_id, clienthello.session_id, - SSL_MAX_SSL_SESSION_ID_LENGTH, - &clienthello.session_id_len)) { + if (!PACKET_copy_all(&compression, clienthello.compressions, + MAX_COMPRESSIONS_SIZE, &clienthello.compressions_len) + || !PACKET_copy_all(&session_id, clienthello.session_id, + SSL_MAX_SSL_SESSION_ID_LENGTH, + &clienthello.session_id_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err;