From 04799a4274c814466f670f568ca442b8c1a2cbcb Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Tue, 29 Sep 2015 00:31:09 +0100 Subject: [PATCH] Fixed copy and paste error Accidental additional assignment in ssl_write_alpn_ext() --- ChangeLog | 12 +++++++++++- library/ssl_cli.c | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c9e48e244..4eb8dd883 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,16 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS 2.1.1 released 2015-09-17 += mbed TLS 2.1.2 released 2015-10-xx + +Security + * Added fix for CVE-2015-xxxxx to prevent heap corruption due to buffer + overflow of the hostname or session ticket. + +Changes + * Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure + domain names are compliant with RFC 1035. + += mbe TLS 2.1.1 released 2015-09-17 Security * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5 diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 825a74f6e..1ba8648c9 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -535,7 +535,7 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) ); for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ ) - alpnlen += *p = (unsigned char)( strlen( *cur ) & 0xFF ); + alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1; if( end < p || (size_t)( end - p ) < 6 + alpnlen ) {