40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
|
From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001
|
||
|
From: Matt Caswell <matt@openssl.org>
|
||
|
Date: Fri, 31 May 2024 11:18:27 +0100
|
||
|
Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when
|
||
|
processing NPN
|
||
|
|
||
|
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
|
||
|
the selected_len is 0 we should fail. Previously this would fail with an
|
||
|
internal_error alert because calling OPENSSL_malloc(selected_len) will
|
||
|
return NULL when selected_len is 0. We make this error detection more
|
||
|
explicit and return a handshake failure alert.
|
||
|
|
||
|
Follow on from CVE-2024-5535
|
||
|
|
||
|
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||
|
(Merged from https://github.com/openssl/openssl/pull/24717)
|
||
|
---
|
||
|
ssl/statem/extensions_clnt.c | 4 ++--
|
||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
||
|
index 381a6c9d7b..1ab3c13d57 100644
|
||
|
--- a/ssl/statem/extensions_clnt.c
|
||
|
+++ b/ssl/statem/extensions_clnt.c
|
||
|
@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
|
||
|
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
|
||
|
&selected, &selected_len,
|
||
|
PACKET_data(pkt), PACKET_remaining(pkt),
|
||
|
- sctx->ext.npn_select_cb_arg) !=
|
||
|
- SSL_TLSEXT_ERR_OK) {
|
||
|
+ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
|
||
|
+ || selected_len == 0) {
|
||
|
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
|
||
|
return 0;
|
||
|
}
|
||
|
--
|
||
|
2.46.0
|
||
|
|