From 4bfe1432c8d82ffaa99c01085da0520b6090567d Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 31 Oct 2016 12:47:20 +0000 Subject: [PATCH] Handle compression methods correctly with SSLv2 compat ClientHello In the case of an SSLv2 compat ClientHello we weren't setting up the compression methods correctly, which could lead to uninit reads or crashes. Reviewed-by: Kurt Roeckx Reviewed-by: Rich Salz --- ssl/statem/statem_srvr.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 9911e3ccde..c7841ac48e 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1039,10 +1039,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) goto f_err; } - if (!PACKET_get_length_prefixed_1(pkt, &compression) - || !PACKET_copy_all(&compression, clienthello.compressions, - MAX_COMPRESSIONS_SIZE, - &clienthello.compressions_len)) { + if (!PACKET_get_length_prefixed_1(pkt, &compression)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -1060,9 +1057,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } } - if (!PACKET_copy_all(&session_id, clienthello.session_id, - SSL_MAX_SSL_SESSION_ID_LENGTH, - &clienthello.session_id_len)) { + if (!PACKET_copy_all(&compression, clienthello.compressions, + MAX_COMPRESSIONS_SIZE, &clienthello.compressions_len) + || !PACKET_copy_all(&session_id, clienthello.session_id, + SSL_MAX_SSL_SESSION_ID_LENGTH, + &clienthello.session_id_len)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; -- 2.25.1