diff options
| author | davidben@chromium.org <davidben@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c> | 2014-05-01 22:05:15 +0000 |
|---|---|---|
| committer | davidben@chromium.org <davidben@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c> | 2014-05-01 22:05:15 +0000 |
| commit | 176b84dd04aaadd8b6ec29d285ef7234c9fb1e85 (patch) | |
| tree | 5b27b690c15b80c16bca7418e29984252986cd36 | |
| parent | 9feef1731155921aa8f35c6acc3f18c8826f79ae (diff) | |
| download | openssl-176b84dd04aaadd8b6ec29d285ef7234c9fb1e85.tar.gz | |
Fix limit checks in ssl_add_clienthello_tlsext and ssl_add_serverhello_tlsext.
Some of the limit checks reference p rather than ret. p is the original buffer
position, not the current one. Fix those and rename p to orig so it's clearer.
BUF_MEM_grow allocates 4/3 the size requested, so it doesn't overflow the
actual allocation.
BUG=none
Review URL: https://codereview.chromium.org/258143004
git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/openssl@267648 4ff67af0-8c30-449e-8e8b-ad334ec8d88c
| -rw-r--r-- | README.chromium | 4 | ||||
| -rw-r--r-- | openssl/ssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | openssl/ssl/t1_lib.c | 34 | ||||
| -rw-r--r-- | patches.chromium/0011-fix_limit_checks.patch | 121 |
4 files changed, 145 insertions, 18 deletions
diff --git a/README.chromium b/README.chromium index d994e1b..dcc03de 100644 --- a/README.chromium +++ b/README.chromium @@ -198,6 +198,10 @@ located in patches.chromium/. Currently this consists of: mac_osx32_assembly.patch Add support for 32 bit OS X with assembly optimization. + + fix_limit_checks.patch + Fix limit checks in writing extensions. BUF_MEM_grow allocates 4/3 the size + requested, so it doesn't overflow the actual allocation. ************************************************************************** Adding new Chromium patches: diff --git a/openssl/ssl/ssl_locl.h b/openssl/ssl/ssl_locl.h index 3732825..4e27d9e 100644 --- a/openssl/ssl/ssl_locl.h +++ b/openssl/ssl/ssl_locl.h @@ -1127,8 +1127,8 @@ int tls1_ec_nid2curve_id(int nid); #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_prepare_clienthello_tlsext(SSL *s); diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c index 7a507f9..a53d56b 100644 --- a/openssl/ssl/t1_lib.c +++ b/openssl/ssl/t1_lib.c @@ -341,15 +341,16 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p) return (int)slen; } -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) { int extdatalen=0; - unsigned char *ret = p; + unsigned char *orig = buf; + unsigned char *ret = buf; /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding) - return p; + return orig; ret+=2; @@ -398,7 +399,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha return NULL; } - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_renegotiate,ret); s2n(el,ret); @@ -647,7 +648,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); @@ -686,24 +687,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } - if ((extdatalen = ret-p-2)== 0) - return p; + if ((extdatalen = ret-orig-2)== 0) + return orig; - s2n(extdatalen,p); + s2n(extdatalen, orig); return ret; } -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) { int extdatalen=0; - unsigned char *ret = p; + unsigned char *orig = buf; + unsigned char *ret = buf; #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; #endif /* don't add extensions for SSLv3, unless doing secure renegotiation */ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) - return p; + return orig; ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ @@ -726,7 +728,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha return NULL; } - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_renegotiate,ret); s2n(el,ret); @@ -806,7 +808,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - if((limit - p - 4 - el) < 0) return NULL; + if((limit - ret - 4 - el) < 0) return NULL; s2n(TLSEXT_TYPE_use_srtp,ret); s2n(el,ret); @@ -885,10 +887,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha s2n(0,ret); } - if ((extdatalen = ret-p-2)== 0) - return p; + if ((extdatalen = ret-orig-2)== 0) + return orig; - s2n(extdatalen,p); + s2n(extdatalen, orig); return ret; } diff --git a/patches.chromium/0011-fix_limit_checks.patch b/patches.chromium/0011-fix_limit_checks.patch new file mode 100644 index 0000000..b4ab8a3 --- /dev/null +++ b/patches.chromium/0011-fix_limit_checks.patch @@ -0,0 +1,121 @@ +diff --git android-openssl.orig/ssl/ssl_locl.h android-openssl/ssl/ssl_locl.h +index 3732825..4e27d9e 100644 +--- android-openssl.orig/ssl/ssl_locl.h ++++ android-openssl/ssl/ssl_locl.h +@@ -1127,8 +1127,8 @@ int tls1_ec_nid2curve_id(int nid); + #endif /* OPENSSL_NO_EC */ + + #ifndef OPENSSL_NO_TLSEXT +-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); +-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); ++unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); ++unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit); + int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); + int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); + int ssl_prepare_clienthello_tlsext(SSL *s); +diff --git android-openssl.orig/ssl/t1_lib.c android-openssl/ssl/t1_lib.c +index 7a507f9..a53d56b 100644 +--- android-openssl.orig/ssl/t1_lib.c ++++ android-openssl/ssl/t1_lib.c +@@ -341,15 +341,16 @@ int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + return (int)slen; + } + +-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) ++unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) + { + int extdatalen=0; +- unsigned char *ret = p; ++ unsigned char *orig = buf; ++ unsigned char *ret = buf; + + /* don't add extensions for SSLv3 unless doing secure renegotiation */ + if (s->client_version == SSL3_VERSION + && !s->s3->send_connection_binding) +- return p; ++ return orig; + + ret+=2; + +@@ -398,7 +399,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha + return NULL; + } + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate,ret); + s2n(el,ret); +@@ -647,7 +648,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha + + ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_use_srtp,ret); + s2n(el,ret); +@@ -686,24 +687,25 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha + } + + +- if ((extdatalen = ret-p-2)== 0) +- return p; ++ if ((extdatalen = ret-orig-2)== 0) ++ return orig; + +- s2n(extdatalen,p); ++ s2n(extdatalen, orig); + return ret; + } + +-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) ++unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned char *limit) + { + int extdatalen=0; +- unsigned char *ret = p; ++ unsigned char *orig = buf; ++ unsigned char *ret = buf; + #ifndef OPENSSL_NO_NEXTPROTONEG + int next_proto_neg_seen; + #endif + + /* don't add extensions for SSLv3, unless doing secure renegotiation */ + if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) +- return p; ++ return orig; + + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -726,7 +728,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + return NULL; + } + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate,ret); + s2n(el,ret); +@@ -806,7 +808,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + + ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); + +- if((limit - p - 4 - el) < 0) return NULL; ++ if((limit - ret - 4 - el) < 0) return NULL; + + s2n(TLSEXT_TYPE_use_srtp,ret); + s2n(el,ret); +@@ -885,10 +887,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha + s2n(0,ret); + } + +- if ((extdatalen = ret-p-2)== 0) +- return p; ++ if ((extdatalen = ret-orig-2)== 0) ++ return orig; + +- s2n(extdatalen,p); ++ s2n(extdatalen, orig); + return ret; + } + |