From 02c27b113cfc6000d94644e19c06c0f45e3480af Mon Sep 17 00:00:00 2001 From: Bodo Möller Date: Sun, 23 Sep 2007 11:30:53 +0000 Subject: properly handle length-zero opaque PRF input values (which are pointless, but still might occur) --- ssl/s3_lib.c | 5 ++++- ssl/t1_lib.c | 21 ++++++++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 476d27a7b2..548eeef6f3 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2369,7 +2369,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } if (s->tlsext_opaque_prf_input != NULL) OPENSSL_free(s->tlsext_opaque_prf_input); - s->tlsext_opaque_prf_input = BUF_memdup(parg, (size_t)larg); + if ((size_t)larg == 0) + s->tlsext_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->tlsext_opaque_prf_input = BUF_memdup(parg, (size_t)larg); if (s->tlsext_opaque_prf_input != NULL) { s->tlsext_opaque_prf_input_len = (size_t)larg; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 0c7841402d..1aaf8905c8 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -664,8 +664,10 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); - - s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); + if (s->s3->client_opaque_prf_input_len == 0) + s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); if (s->s3->client_opaque_prf_input == NULL) { *al = TLS1_AD_INTERNAL_ERROR; @@ -777,7 +779,10 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); - s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); + if (s->s3->server_opaque_prf_input_len == 0) + s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); if (s->s3->server_opaque_prf_input == NULL) { @@ -890,7 +895,10 @@ int ssl_prepare_clienthello_tlsext(SSL *s) if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); - s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); + if (s->tlsext_opaque_prf_input_len == 0) + s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); if (s->s3->client_opaque_prf_input == NULL) { SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); @@ -990,7 +998,10 @@ int ssl_check_clienthello_tlsext(SSL *s) /* can only use this extension if we have a server opaque PRF input * of the same length as the client opaque PRF input! */ - s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); + if (s->tlsext_opaque_prf_input_len == 0) + s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; -- cgit v1.2.3