From owner-svn-src-stable-7@FreeBSD.ORG  Sun Feb 13 10:24:36 2011
Return-Path: <owner-svn-src-stable-7@FreeBSD.ORG>
Delivered-To: svn-src-stable-7@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 89790106566B;
	Sun, 13 Feb 2011 10:24:36 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 779528FC0C;
	Sun, 13 Feb 2011 10:24:36 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p1DAOa7S033961;
	Sun, 13 Feb 2011 10:24:36 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id p1DAOap4033959;
	Sun, 13 Feb 2011 10:24:36 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <201102131024.p1DAOap4033959@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Sun, 13 Feb 2011 10:24:36 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r218634 - stable/7/crypto/openssl/ssl
X-BeenThere: svn-src-stable-7@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for only the 7-stable src tree
	<svn-src-stable-7.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-7>, 
	<mailto:svn-src-stable-7-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-7>
List-Post: <mailto:svn-src-stable-7@freebsd.org>
List-Help: <mailto:svn-src-stable-7-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-7>, 
	<mailto:svn-src-stable-7-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Feb 2011 10:24:36 -0000

Author: simon
Date: Sun Feb 13 10:24:36 2011
New Revision: 218634
URL: http://svn.freebsd.org/changeset/base/218634

Log:
  MFC 218625:
   Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could
   cause OpenSSL to parse past the end of the message.
  
   Note: Applications are only affected if they act as a server and call
   SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
   Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
  
  The very quick MFC is done to get this fix into 7.4 / 8.2.
  
  Discussed with:	re
  Approved by:	so (simon, for "instant" MFC)
  Obtained from:	OpenSSL CVS
  Security:	http://www.openssl.org/news/secadv_20110208.txt
  Security:	CVE-2011-0014

Modified:
  stable/7/crypto/openssl/ssl/t1_lib.c
Directory Properties:
  stable/7/crypto/openssl/   (props changed)

Modified: stable/7/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- stable/7/crypto/openssl/ssl/t1_lib.c	Sun Feb 13 10:22:43 2011	(r218633)
+++ stable/7/crypto/openssl/ssl/t1_lib.c	Sun Feb 13 10:24:36 2011	(r218634)
@@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 						}
 					n2s(data, idsize);
 					dsize -= 2 + idsize;
+					size -= 2 + idsize;
 					if (dsize < 0)
 						{
 						*al = SSL_AD_DECODE_ERROR;
@@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
 					}
 
 				/* Read in request_extensions */
+				if (size < 2)
+					{
+					*al = SSL_AD_DECODE_ERROR;
+					return 0;
+					}
 				n2s(data,dsize);
 				size -= 2;
-				if (dsize > size) 
+				if (dsize != size)
 					{
 					*al = SSL_AD_DECODE_ERROR;
 					return 0;