From 4d6fe78f65be650c84e14777c90e7a088f7a44ce Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 16 Jan 2016 12:57:24 -0500 Subject: [PATCH] Empty SNI names are not valid While empty inputs to SSL_set1_host() clear the reference identifier list. (cherry-picked from 1.1.0-dev) Reviewed-by: Rich Salz --- crypto/x509/x509_vpm.c | 4 ++-- ssl/s3_lib.c | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 592a8a5f6a..1ac15a881a 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -94,11 +94,11 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, * Refuse names with embedded NUL bytes, except perhaps as final byte. * XXX: Do we need to push an error onto the error stack? */ - if (namelen == 0) + if (namelen == 0 || name == NULL) namelen = name ? strlen(name) : 0; else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen)) return 0; - if (name && name[namelen - 1] == '\0') + if (namelen > 0 && name[namelen - 1] == '\0') --namelen; if (mode == SET_HOST && id->hosts) { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 64793d6af3..5970e617f0 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3263,6 +3263,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { + size_t len; + if (s->tlsext_hostname != NULL) OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; @@ -3270,7 +3272,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; if (parg == NULL) break; - if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { + len = strlen((char *)parg); + if (len == 0 || len > TLSEXT_MAXLEN_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } -- 2.25.1