Fix potential NULL dereference on bad usage

This commit is contained in:
Manuel Pégourié-Gonnard 2015-04-15 19:09:03 +02:00
parent ce60fbeb30
commit a2fce21ae5
2 changed files with 46 additions and 28 deletions

View file

@ -27,6 +27,9 @@ Features
errors on use of deprecated functions.
Bugfix
* Fix potential NULL pointer dereference (not trigerrable remotely) when
ssl_write() is called before the handshake is finished (introduced in
1.3.10) (first reported by Martin Blumenstingl).
* Fix bug in pk_parse_key() that caused some valid private EC keys to be
rejected.
* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).

View file

@ -4754,37 +4754,16 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
}
/*
* Send application data to be encrypted by the SSL layer
* Send application data to be encrypted by the SSL layer,
* taking care of max fragment length and buffer size
*/
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
static int ssl_write_real( ssl_context *ssl, const unsigned char *buf, size_t len )
#else
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
#endif
static int ssl_write_real( ssl_context *ssl,
const unsigned char *buf, size_t len )
{
int ret;
size_t n;
unsigned int max_len = SSL_MAX_CONTENT_LEN;
SSL_DEBUG_MSG( 2, ( "=> write" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
return( ret );
}
#endif
if( ssl->state != SSL_HANDSHAKE_OVER )
{
if( ( ret = ssl_handshake( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
return( ret );
}
}
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
/*
* Assume mfl_code is correct since it was checked when set
@ -4824,8 +4803,6 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
}
}
SSL_DEBUG_MSG( 2, ( "<= write" ) );
return( (int) n );
}
@ -4837,7 +4814,8 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
* remember wether we already did the split or not.
*/
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
static int ssl_write_split( ssl_context *ssl,
const unsigned char *buf, size_t len )
{
int ret;
@ -4865,6 +4843,43 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
}
#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
/*
* Write application data (public-facing wrapper)
*/
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
{
int ret;
SSL_DEBUG_MSG( 2, ( "=> write" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
return( ret );
}
#endif
if( ssl->state != SSL_HANDSHAKE_OVER )
{
if( ( ret = ssl_handshake( ssl ) ) != 0 )
{
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
return( ret );
}
}
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
ret = ssl_write_split( ssl, buf, len );
#else
ret = ssl_write_real( ssl, buf, len );
#endif
SSL_DEBUG_MSG( 2, ( "<= write" ) );
return( ret );
}
/*
* Notify the peer that the connection is being closed
*/