Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION

DOPROCESSREPLY() Description: Function DoProcessReply() calls function decrypt_message() in a while loop without performing a check on available buffer space. This can cause buffer overflow and crash the server. This patch is fix provided by Sawtooth to resolve the issue.

Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
DOPROCESSREPLY() Description: Function DoProcessReply() calls function decrypt_message() in a while loop without performing a check on available buffer space. This can cause buffer overflow and crash the server. This patch is fix provided by Sawtooth to resolve the issue.
69689fa4 · Harin Vadodaria · 1cffb192 · 69689fa4
Commit 69689fa4 authored Dec 13, 2012 by Harin Vadodaria
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

extra/yassl/src/handshake.cpp extra/yassl/src/handshake.cpp +7 -1

No files found.
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl)

        while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
            // each message in record, can be more than 1 if not encrypted
-            if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+            if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+                // sanity check for malicious/corrupted/illegal input
+                if (buffer.get_remaining() < hdr.length_) {
+                    ssl.SetError(bad_input);
+                    return 0;
+                }
                decrypt_message(ssl, buffer, hdr.length_);
+            }
                
            mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
            if (!msg.get()) {