Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ssl sigalg extension: fix NULL pointer dereference
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's possible to crash an openssl tls secured server remotely by sending a manipulated hello message in a rehandshake. On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls tls12_shared_sigalgs() with the peer_sigalgslen of the previous handshake, while the peer_sigalgs has been freed. As a result tls12_shared_sigalgs() walks over the available peer_sigalgs and tries to access data of a NULL pointer. This issue was introduced by c589c34 (Add support for the TLS 1.3 signature_algorithms_cert extension, 2018-01-11). Signed-off-by: Peter Kästle <email@example.com> Signed-off-by: Samuel Sapalski <firstname.lastname@example.org> CVE-2021-3449 CLA: trivial Reviewed-by: Tomas Mraz <email@example.com> Reviewed-by: Paul Dale <firstname.lastname@example.org> Reviewed-by: Matt Caswell <email@example.com>
- Loading branch information