@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
348348 * Client Hello message, this would be difficult, and we'd have
349349 * to read more records to find out.
350350 * No known SSL 3.0 client fragments ClientHello like this,
351- * so we simply assume TLS 1.0 to avoid protocol version downgrade
352- * attacks. */
351+ * so we simply reject such connections to avoid
352+ * protocol version downgrade attacks. */
353353 if (p [3 ] == 0 && p [4 ] < 6 )
354354 {
355- #if 0
356355 SSLerr (SSL_F_SSL23_GET_CLIENT_HELLO ,SSL_R_RECORD_TOO_SMALL );
357356 goto err ;
358- #else
359- v [1 ] = TLS1_VERSION_MINOR ;
360- #endif
361357 }
362358 /* if major version number > 3 set minor to a value
363359 * which will use the highest version 3 we support.
364360 * If TLS 2.0 ever appears we will need to revise
365361 * this....
366362 */
367- else if (p [9 ] > SSL3_VERSION_MAJOR )
363+ if (p [9 ] > SSL3_VERSION_MAJOR )
368364 v [1 ]= 0xff ;
369365 else
370366 v [1 ]= p [10 ]; /* minor version according to client_version */
@@ -457,14 +453,34 @@ int ssl23_get_client_hello(SSL *s)
457453 v [0 ] = p [3 ]; /* == SSL3_VERSION_MAJOR */
458454 v [1 ] = p [4 ];
459455
456+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
457+ * header is sent directly on the wire, not wrapped as a TLS
458+ * record. It's format is:
459+ * Byte Content
460+ * 0-1 msg_length
461+ * 2 msg_type
462+ * 3-4 version
463+ * 5-6 cipher_spec_length
464+ * 7-8 session_id_length
465+ * 9-10 challenge_length
466+ * ... ...
467+ */
460468 n = ((p [0 ]& 0x7f )<<8 )|p [1 ];
461469 if (n > (1024 * 4 ))
462470 {
463471 SSLerr (SSL_F_SSL23_GET_CLIENT_HELLO ,SSL_R_RECORD_TOO_LARGE );
464472 goto err ;
465473 }
474+ if (n < 9 )
475+ {
476+ SSLerr (SSL_F_SSL23_GET_CLIENT_HELLO ,SSL_R_RECORD_LENGTH_MISMATCH );
477+ goto err ;
478+ }
466479
467480 j = ssl23_read_bytes (s ,n + 2 );
481+ /* We previously read 11 bytes, so if j > 0, we must have
482+ * j == n+2 == s->packet_length. We have at least 11 valid
483+ * packet bytes. */
468484 if (j <= 0 ) return (j );
469485
470486 ssl3_finish_mac (s , s -> packet + 2 , s -> packet_length - 2 );
0 commit comments