/[packages]/updates/3/openssl/current/SOURCES/openssl-1.0.1g-CVE-2014-0198.patch
ViewVC logotype

Contents of /updates/3/openssl/current/SOURCES/openssl-1.0.1g-CVE-2014-0198.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 619695 - (show annotations) (download)
Fri May 2 18:58:23 2014 UTC (6 years, 7 months ago) by luigiwalser
File size: 1307 byte(s)
rediff patch from openbsd to fix CVE-2014-0198
1 From e76e308f1fab2253ab5b4ef52a1865c5ffecdf21 Mon Sep 17 00:00:00 2001
2 From: tedu <tedu>
3 Date: Thu, 24 Apr 2014 04:31:30 +0000
4 Subject: on today's episode of things you didn't want to learn:
5 do_ssl3_write() is recursive. and not in the simple, obvious way, but in the
6 sneaky called through ssl3_dispatch_alert way. (alert level: fuchsia) this
7 then has a decent chance of releasing the buffer that we thought we were
8 going to use. check for this happening, and if the buffer has gone missing,
9 put another one back in place. the direct recursive call is safe because it
10 won't call ssl3_write_pending which is the function that actually does do the
11 writing and releasing. as reported by David Ramos to openssl-dev:
12 http://marc.info/?l=openssl-dev&m=139809493725682&w=2 ok beck
13
14
15 diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c
16 index 60c5114..5ef25a4 100644
17 --- a/lib/libssl/src/ssl/s3_pkt.c
18 +++ b/lib/libssl/src/ssl/s3_pkt.c
19 @@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ
20 if (i <= 0)
21 return(i);
22 /* if it went, fall through and send more stuff */
23 + /* we may have released our buffer, so get it again */
24 + if (wb->buf == NULL)
25 + if (!ssl3_setup_write_buffer(s))
26 + return -1;
27 }
28
29 if (len == 0 && !create_empty_fragment)
30 --
31 cgit v0.9.2-21-gd62e

  ViewVC Help
Powered by ViewVC 1.1.28