Permalink
Browse files

Make message buffer slightly larger than message.

Grow TLS/DTLS 16 bytes more than strictly necessary as a precaution against
OOB reads. In most cases this will have no effect because the message buffer
will be large enough already.

Reviewed-by: Matt Caswell <matt@openssl.org>
  • Loading branch information...
snhenson committed Sep 21, 2016
1 parent bc9563f commit 006a788c84e541c8920dd2ad85fb62b52185c519
Showing with 9 additions and 2 deletions.
  1. +4 −1 ssl/d1_both.c
  2. +5 −1 ssl/s3_both.c
@@ -581,9 +581,12 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
/*
* msg_len is limited to 2^24, but is effectively checked against max
* above
*
* Make buffer slightly larger than message length as a precaution
* against small OOB reads e.g. CVE-2016-6306
*/
if (!BUF_MEM_grow_clean
(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
return SSL_AD_INTERNAL_ERROR;
}
@@ -417,9 +417,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
goto f_err;
}
/*
* Make buffer slightly larger than message length as a precaution
* against small OOB reads e.g. CVE-2016-6306
*/
if (l
&& !BUF_MEM_grow_clean(s->init_buf,
(int)l + SSL3_HM_HEADER_LENGTH)) {
(int)l + SSL3_HM_HEADER_LENGTH + 16)) {
SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
goto err;
}

0 comments on commit 006a788

Please sign in to comment.