From: Philippe Antoine <p.antoine@catenacyber.fr>
Date: Thu, 22 Feb 2018 18:56:40 +0000 (-0500)
Subject: Checks ec_points_format extension size
X-Git-Tag: OpenSSL_1_0_2o~30
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=99bb59d9d7fbcf73c8ed1e5b3e9cb7e3b0225521;p=oweals%2Fopenssl.git

Checks ec_points_format extension size

Before reading first byte as length

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5410)
---

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a186623505..3c5b6ad692 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2284,8 +2284,13 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 # ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
             unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
+            int ecpointformatlist_length;
 
+            if (size == 0) {
+                goto err;
+            }
+
+            ecpointformatlist_length = *(sdata++);
             if (ecpointformatlist_length != size - 1 ||
                 ecpointformatlist_length < 1)
                 goto err;
@@ -2711,8 +2716,14 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
 # ifndef OPENSSL_NO_EC
         else if (type == TLSEXT_TYPE_ec_point_formats) {
             unsigned char *sdata = data;
-            int ecpointformatlist_length = *(sdata++);
+            int ecpointformatlist_length;
+
+            if (size == 0) {
+                *al = TLS1_AD_DECODE_ERROR;
+                return 0;
+            }
 
+            ecpointformatlist_length = *(sdata++);
             if (ecpointformatlist_length != size - 1) {
                 *al = TLS1_AD_DECODE_ERROR;
                 return 0;