diff options
author | Matt Caswell <matt@openssl.org> | 2016-09-10 21:24:40 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-09-22 09:27:45 +0100 |
commit | b8d243956296458d1782af0d6e7ecfe6deae038a (patch) | |
tree | d872fe2875ea7456e3aba9fda73f660199209c45 /ssl/record | |
parent | c31dbed70c0be1578276367a1ba420ac935d0c68 (diff) | |
download | openssl-b8d243956296458d1782af0d6e7ecfe6deae038a.tar.gz |
Fix a hang with SSL_peek()
If while calling SSL_peek() we read an empty record then we go into an
infinite loop, continually trying to read data from the empty record and
never making any progress. This could be exploited by a malicious peer in
a Denial Of Service attack.
CVE-2016-6305
GitHub Issue #1563
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl/record')
-rw-r--r-- | ssl/record/rec_layer_s3.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index abde9d4a73..0775095b9a 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1133,7 +1133,11 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, memcpy(buf, &(rr->data[rr->off]), n); buf += n; - if (!peek) { + if (peek) { + /* Mark any zero length record as consumed CVE-2016-6305 */ + if (SSL3_RECORD_get_length(rr) == 0) + SSL3_RECORD_set_read(rr); + } else { SSL3_RECORD_sub_length(rr, n); SSL3_RECORD_add_off(rr, n); if (SSL3_RECORD_get_length(rr) == 0) { |