Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
compat-openssl098.503
openssl-CVE-2014-3506.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl-CVE-2014-3506.patch of Package compat-openssl098.503
commit 338a5e7e5458edf4cf754fd831a451fb4b57d180 Author: Matt Caswell <matt@openssl.org> Date: Fri Jun 6 14:25:52 2014 -0700 Fix DTLS handshake message size checks. In |dtls1_reassemble_fragment|, the value of |msg_hdr->frag_off+frag_len| was being checked against the maximum handshake message size, but then |msg_len| bytes were allocated for the fragment buffer. This means that so long as the fragment was within the allowed size, the pending handshake message could consume 16MB + 2MB (for the reassembly bitmap). Approx 10 outstanding handshake messages are allowed, meaning that an attacker could consume ~180MB per DTLS connection. In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no check was applied. Fixes CVE-2014-3506 Wholly based on patch by Adam Langley with one minor amendment. Reviewed-by: Emilia Käsper <emilia@openssl.org> Index: openssl-0.9.8j/ssl/d1_both.c =================================================================== --- openssl-0.9.8j.orig/ssl/d1_both.c 2014-08-08 15:25:06.746108335 +0200 +++ openssl-0.9.8j/ssl/d1_both.c 2014-08-08 15:45:32.935957123 +0200 @@ -550,6 +550,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, return 0; } +/* dtls1_max_handshake_message_len returns the maximum number of bytes + * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may + * be greater if the maximum certificate list size requires it. */ +static unsigned long dtls1_max_handshake_message_len(const SSL *s) + { + unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; + if (max_len < (unsigned long)s->max_cert_list) + return s->max_cert_list; + return max_len; + } static int dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok, long max) @@ -588,6 +598,9 @@ dtls1_process_out_of_seq_message(SSL *s, if (frag_len) { + if (frag_len > dtls1_max_handshake_message_len(s)) + goto err; + frag = dtls1_hm_fragment_new(frag_len); if ( frag == NULL) goto err;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor