backport fix from the stable branch

author Nils Larsch <nils@openssl.org>

Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)

committer Nils Larsch <nils@openssl.org>

Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
author Nils Larsch <nils@openssl.org>
Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
committer Nils Larsch <nils@openssl.org>
Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
diff --git a/ChangeLog.0_9_7-stable_not-in-head b/ChangeLog.0_9_7-stable_not-in-head

index b689ca20248b09d168aee577d72434ec6084eeae..51a24c81a8d5207d2d1d08c95106527b701717ea 100644 (file)
--- a/ChangeLog.0_9_7-stable_not-in-head
+++ b/ChangeLog.0_9_7-stable_not-in-head
@@ -165,28 +165,6 @@ be added to the end of this file.
  
         DES CFB8 test.
  
-2004-03-17 05:01  mark
-
-       Changed:
-               CHANGES (1.977.2.128), "Exp", lines: +9 -1
-               FAQ (1.61.2.30), "Exp", lines: +1 -1
-               LICENSE (1.7.2.3), "Exp", lines: +1 -1
-               NEWS (1.39.2.21), "Exp", lines: +8 -0
-               README (1.39.2.24), "Exp", lines: +2 -2
-               STATUS (1.211.2.41), "Exp", lines: +4 -1
-               openssl.spec (1.6.2.6), "Exp", lines: +1 -1
-               crypto/opensslv.h (1.40.2.21), "Exp", lines: +2 -2
-               ssl/s3_pkt.c (1.46.2.6), "Exp", lines: +8 -0
-               ssl/s3_srvr.c (1.85.2.20), "Exp", lines: +16 -0
-
-       Fix null-pointer assignment in do_change_cipher_spec() revealed by
-       using the Codenomicon TLS Test Tool (CAN-2004-0079) Fix flaw in
-       SSL/TLS handshaking when using Kerberos ciphersuites
-       (CAN-2004-0112) Ready for 0.9.7d build
-
-               Submitted by: Steven Henson Reviewed by: Joe Orton Approved
-       by: Mark Cox
-
  2004-05-12 16:11  ben
  
         Changed:
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c

index f92ec594473af2410741173a3a8585e0472322a3..a24cec2d2067c740fcbe6558233d66538eb83c2c 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1087,6 +1087,14 @@ start:
                         goto f_err;
                         }
  
+               /* Check we have a cipher to change to */
+               if (s->s3->tmp.new_cipher == NULL)
+                       {
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+                       goto f_err;
+                       }
+
                 rr->length=0;
  
                 if (s->msg_callback)
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c

index 7bb68e083d68aef0a6cc73f30206e2752cfbeae5..6daf703f5e1be2bbccc8b02f4603e59558e9380a 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1883,11 +1883,27 @@ int ssl3_get_client_key_exchange(SSL *s)
  
                 n2s(p,i);
                 enc_ticket.length = i;
+
+               if (n < enc_ticket.length + 6)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                       goto err;
+                       }
+
                 enc_ticket.data = (char *)p;
                 p+=enc_ticket.length;
  
                 n2s(p,i);
                 authenticator.length = i;
+
+               if (n < enc_ticket.length + authenticator.length + 6)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                       goto err;
+                       }
+
                 authenticator.data = (char *)p;
                 p+=authenticator.length;
author	Nils Larsch <nils@openssl.org>
	Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
committer	Nils Larsch <nils@openssl.org>
	Tue, 3 May 2005 10:00:16 +0000 (10:00 +0000)
ChangeLog.0_9_7-stable_not-in-head		patch \| blob \| history
ssl/s3_pkt.c		patch \| blob \| history
ssl/s3_srvr.c		patch \| blob \| history