From: Matt Caswell Date: Sat, 10 Sep 2016 20:24:40 +0000 (+0100) Subject: Fix a hang with SSL_peek() X-Git-Tag: OpenSSL_1_1_0a~3 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=63658103d4441924f8dbfc517b99bb54758a98b9;p=oweals%2Fopenssl.git Fix a hang with SSL_peek() If while calling SSL_peek() we read an empty record then we go into an infinite loop, continually trying to read data from the empty record and never making any progress. This could be exploited by a malicious peer in a Denial Of Service attack. CVE-2016-6305 GitHub Issue #1563 Reviewed-by: Rich Salz --- diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index abde9d4a73..0775095b9a 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1133,7 +1133,11 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, memcpy(buf, &(rr->data[rr->off]), n); buf += n; - if (!peek) { + if (peek) { + /* Mark any zero length record as consumed CVE-2016-6305 */ + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + } else { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) {