From 46c815a97d21135561d2204574bbd7c184b1f0b5 Mon Sep 17 00:00:00 2001
From: Philippe Antoine
Date: Mon, 26 Mar 2018 10:25:55 +0200
Subject: [PATCH] Adds multiple checks to avoid buffer over reads
Reviewed-by: Rich Salz
Reviewed-by: Bernd Edlinger
(Merged from https://github.com/openssl/openssl/pull/5687)
---
ssl/t1_trce.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index dc62df8f94..8a5707a630 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -645,6 +645,8 @@ static int ssl_print_extensions(BIO *bio, int indent, int server,
BIO_puts(bio, "No Extensions\n");
return 1;
}
+ if (msglen < 2)
+ return 0;
extslen = (msg[0] << 8) | msg[1];
if (extslen != msglen - 2)
return 0;
@@ -1021,6 +1023,8 @@ static int ssl_print_cert_request(BIO *bio, int indent, SSL *s,
msglen -= xlen + 2;
skip_sig:
+ if (msglen < 2)
+ return 0;
xlen = (msg[0] << 8) | msg[1];
BIO_indent(bio, indent, 80);
if (msglen < xlen + 2)
@@ -1209,7 +1213,15 @@ void SSL_trace(int write_p, int version, int content_type,
switch (content_type) {
case SSL3_RT_HEADER:
{
- int hvers = msg[1] << 8 | msg[2];
+ int hvers;
+
+ /* avoid overlapping with length at the end of buffer */
+ if (msglen < (SSL_IS_DTLS(ssl) ? 13 : 5)) {
+ BIO_puts(bio, write_p ? "Sent" : "Received");
+ ssl_print_hex(bio, 0, " too short message", msg, msglen);
+ break;
+ }
+ hvers = msg[1] << 8 | msg[2];
BIO_puts(bio, write_p ? "Sent" : "Received");
BIO_printf(bio, " Record\nHeader:\n Version = %s (0x%x)\n",
ssl_trace_str(hvers, ssl_version_tbl), hvers);
--
2.25.1