Fix race condition in ssl_parse_serverhello_tlsext

CVE-2014-3509 Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>

Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509 Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Dr. Stephen Henson <steve@openssl.org>
fb0bc2b2 · Gabor Tyukasz · Matt Caswell · 0042fb5f · fb0bc2b2
显示空白变更内容
内联并排

Showing with 10 addition and 7 deletion

ssl/t1_lib.c ssl/t1_lib.c +10 -7

未找到文件。
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2647,6 +2647,8 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
 				}
+			if (!s->hit)
+				{
 				s->session->tlsext_ecpointformatlist_length = 0;
 				if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
 				if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
@@ -2656,6 +2658,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
 					}
 				s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
 				memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
+				}
 #if 0
 			fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
 			sdata = s->session->tlsext_ecpointformatlist;