aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2010-11-29 20:43:06 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2010-11-29 20:43:06 +0000
commit29f5bedd4fbd01c51ad32ecbc5dde0d5293f03c4 (patch)
treebcfecbeee74753907f1f36c06698083e4d2ed3a4
parent7418fb420f9048661643f3c03159692c474d078a (diff)
downloadsrc-29f5bedd4fbd01c51ad32ecbc5dde0d5293f03c4.tar.gz
src-29f5bedd4fbd01c51ad32ecbc5dde0d5293f03c4.zip
Fix a race condition exists in the OpenSSL TLS server extension code and
a double free in the SSL client ECDH handling code. Approved by: so (simon) Security: CVE-2010-2939, CVE-2010-3864 Security: FreeBSD-SA-10:10.openssl
Notes
Notes: svn path=/releng/8.1/; revision=216063
-rw-r--r--UPDATING3
-rw-r--r--crypto/openssl/ssl/s3_clnt.c1
-rw-r--r--crypto/openssl/ssl/t1_lib.c18
-rw-r--r--sys/conf/newvers.sh2
4 files changed, 19 insertions, 5 deletions
diff --git a/UPDATING b/UPDATING
index f2c69bc65ada..24f7a8ce290b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20101129: p2 FreeBSD-SA-10:10.openssl
+ Fix OpenSSL multiple vulnerabilities.
+
20100920: p1 FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index e5138b6e5eee..aa53506d073e 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -1377,6 +1377,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+ bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index 8b5311277015..e03ff493274c 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -432,14 +432,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
switch (servname_type)
{
case TLSEXT_NAMETYPE_host_name:
- if (s->session->tlsext_hostname == NULL)
+ if (!s->hit)
{
- if (len > TLSEXT_MAXLEN_host_name ||
- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+ if(s->session->tlsext_hostname)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+ if (len > TLSEXT_MAXLEN_host_name)
{
*al = TLS1_AD_UNRECOGNIZED_NAME;
return 0;
}
+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+ {
+ *al = TLS1_AD_INTERNAL_ERROR;
+ return 0;
+ }
memcpy(s->session->tlsext_hostname, sdata, len);
s->session->tlsext_hostname[len]='\0';
if (strlen(s->session->tlsext_hostname) != len) {
@@ -452,7 +461,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
}
else
- s->servername_done = strlen(s->session->tlsext_hostname) == len
+ s->servername_done = s->session->tlsext_hostname
+ && strlen(s->session->tlsext_hostname) == len
&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
break;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index eb06c3aa0271..97049e0f97bd 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi