Fix memory leak with crafted ClientHello

2024-11-22 10:55:38 +01:00 · 2014-10-17 12:42:11 +02:00 · 2014-10-17 12:42:11 +02:00 · 43c3b28ca6
commit 43c3b28ca6
parent 5d8618539f
2 changed files with 10 additions and 0 deletions
--- a/3
+++ b/3
@ -7,6 +7,9 @@ Security
   * Remotely-triggerable memory leak when parsing some X.509 certificates
     (server is not affected if it doesn't ask for a client certificate).
     (Found using Codenomicon Defensics.)
+   * Remotely-triggerable memory leak when parsing crafted ClientHello
+     (not affected is ECC support was compiled out).
+     (Found using Codenomicon Defensics.)

 Bugfix
   * Support escaping of commas in x509_string_to_names()
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -528,6 +528,13 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
    }

+    /* Should never happen unless client duplicates the extension */
+    if( ssl->handshake->curves != NULL )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
    /* Don't allow our peer to make us allocate too much memory,
     * and leave room for a final 0 */
    our_size = list_size / 2 + 1;