Fix possible client crash on API misuse

This commit is contained in:
Manuel Pégourié-Gonnard 2015-09-03 10:44:32 +02:00
parent aa4e55bd23
commit fa566e3545
3 changed files with 2893 additions and 0 deletions

View file

@ -2,6 +2,11 @@ PolarSSL ChangeLog
= Version 1.2.16 released 2015-??-??
Security
* Fix possible client-side NULL pointer dereference (read) when the client
tries to continue the handshake after it failed (a misuse of the API).
(Found by GDS Labs using afl-fuzz.)
Bugfix
* Fix unused function warning when using MBEDTLS_MDx_ALT or
MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)

View file

@ -693,6 +693,12 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
if( ssl->session_negotiate->peer_cert == NULL )
{
SSL_DEBUG_MSG( 2, ( "certificate required" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
}
SSL_DEBUG_BUF( 3, "server key exchange", ssl->in_msg + 4, ssl->in_hslen - 4 );
/*
@ -1119,6 +1125,12 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
/*
* RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
*/
if( ssl->session_negotiate->peer_cert == NULL )
{
SSL_DEBUG_MSG( 2, ( "certificate required" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
}
ssl->handshake->premaster[0] = (unsigned char) ssl->max_major_ver;
ssl->handshake->premaster[1] = (unsigned char) ssl->max_minor_ver;
ssl->handshake->pmslen = 48;

2876
library/ssl_cli.c.orig Normal file

File diff suppressed because it is too large Load diff