Fix for CVE-2015-0291

If a client renegotiates using an invalid signature algorithms extension it will crash a server with a NULL pointer dereference. Thanks to David Ramos of Stanford University for reporting this bug. CVE-2015-0291 Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2015-03-03 14:20:57 +0100
committer: Matt Caswell <matt@openssl.org> 2015-03-19 14:01:13 +0100
commit: 34e3edbf3a10953cb407288101fd56a629af22f9 (patch)
tree: 2bef6b1da44e6ac8792d6a9b5bc4a8933c2a17cc /ssl
parent: Reject invalid PSS parameters. (diff)
download: openssl-34e3edbf3a10953cb407288101fd56a629af22f9.tar.xz
openssl-34e3edbf3a10953cb407288101fd56a629af22f9.zip
1 files changed, 10 insertions, 6 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b6e878ae21..8b75dba6ad 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2693,6 +2693,7 @@ int tls1_set_server_sigalgs(SSL *s)
     if (s->cert->shared_sigalgs) {
         OPENSSL_free(s->cert->shared_sigalgs);
         s->cert->shared_sigalgs = NULL;
+        s->cert->shared_sigalgslen = 0;
     }
     /* Clear certificate digests and validity flags */
     for (i = 0; i < SSL_PKEY_NUM; i++) {
@@ -3396,6 +3397,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
     if (c->shared_sigalgs) {
         OPENSSL_free(c->shared_sigalgs);
         c->shared_sigalgs = NULL;
+        c->shared_sigalgslen = 0;
     }
     /* If client use client signature algorithms if not NULL */
     if (!s->server && c->client_sigalgs && !is_suiteb) {
@@ -3418,12 +3420,14 @@ static int tls1_set_shared_sigalgs(SSL *s)
         preflen = c->peer_sigalgslen;
     }
     nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
-    if (!nmatch)
-        return 1;
-    salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
-    if (!salgs)
-        return 0;
-    nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
+    if (nmatch) {
+        salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
+        if (!salgs)
+            return 0;
+        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
+    } else {
+        salgs = NULL;
+    }
     c->shared_sigalgs = salgs;
     c->shared_sigalgslen = nmatch;
     return 1;
author	Dr. Stephen Henson <steve@openssl.org>	2015-03-03 14:20:57 +0100
committer	Matt Caswell <matt@openssl.org>	2015-03-19 14:01:13 +0100
commit	34e3edbf3a10953cb407288101fd56a629af22f9 (patch)
tree	2bef6b1da44e6ac8792d6a9b5bc4a8933c2a17cc /ssl
parent	Reject invalid PSS parameters. (diff)
download	openssl-34e3edbf3a10953cb407288101fd56a629af22f9.tar.xz openssl-34e3edbf3a10953cb407288101fd56a629af22f9.zip