- Fixed potential memory corruption on miscrafted client messages (found by Frama-C team at CEA LIST)
This commit is contained in:
parent
6126481796
commit
452d532955
2 changed files with 11 additions and 0 deletions
|
@ -22,6 +22,10 @@ Bugfix
|
||||||
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
|
||||||
Hui Dong)
|
Hui Dong)
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fixed potential memory corruption on miscrafted client messages (found by
|
||||||
|
Frama-C team at CEA LIST)
|
||||||
|
|
||||||
= Version 1.1.1 released on 2012-01-23
|
= Version 1.1.1 released on 2012-01-23
|
||||||
Bugfix
|
Bugfix
|
||||||
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
|
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
|
||||||
|
|
|
@ -880,6 +880,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
|
||||||
/*
|
/*
|
||||||
* Always compute the MAC (RFC4346, CBCTIME).
|
* Always compute the MAC (RFC4346, CBCTIME).
|
||||||
*/
|
*/
|
||||||
|
if( ssl->in_msglen <= ssl->maclen + padlen )
|
||||||
|
{
|
||||||
|
SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
|
||||||
|
ssl->in_msglen, ssl->maclen, padlen ) );
|
||||||
|
return( POLARSSL_ERR_SSL_INVALID_MAC );
|
||||||
|
}
|
||||||
|
|
||||||
ssl->in_msglen -= ( ssl->maclen + padlen );
|
ssl->in_msglen -= ( ssl->maclen + padlen );
|
||||||
|
|
||||||
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
|
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
|
||||||
|
|
Loading…
Reference in a new issue