mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-06 20:20:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

More correctly handle a selected_len of 0 when processing NPN

Browse Source 
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.

Follow on from CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
This commit is contained in:
Matt Caswell 2024-05-31 11:18:27 +01:00
parent 2ebbe2d7ca
commit c6e1ea2235
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/statem/extensions_clnt.c
View File

@ -1598,8 +1598,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s),
&selected, &selected_len,
PACKET_data(pkt), PACKET_remaining(pkt),
sctx->ext.npn_select_cb_arg) !=
SSL_TLSEXT_ERR_OK) {
sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK
|| selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}