Commit 69689fa4 authored by Harin Vadodaria's avatar Harin Vadodaria

Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION

              DOPROCESSREPLY()

Description: Function DoProcessReply() calls function
             decrypt_message() in a while loop without
             performing a check on available buffer
             space. This can cause buffer overflow and
             crash the server. This patch is fix provided
             by Sawtooth to resolve the issue.
parent 1cffb192
...@@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl) ...@@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl)
while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) { while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
// each message in record, can be more than 1 if not encrypted // each message in record, can be more than 1 if not encrypted
if (ssl.getSecurity().get_parms().pending_ == false) // cipher on if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
// sanity check for malicious/corrupted/illegal input
if (buffer.get_remaining() < hdr.length_) {
ssl.SetError(bad_input);
return 0;
}
decrypt_message(ssl, buffer, hdr.length_); decrypt_message(ssl, buffer, hdr.length_);
}
mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_)); mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
if (!msg.get()) { if (!msg.get()) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment