diff options
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch | 75 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.0.2h.bb | 1 |
2 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000000..64508b57c2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch @@ -0,0 +1,75 @@ +From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 9 Sep 2016 10:08:45 +0100 +Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth + +A malicious client can send an excessively large OCSP Status Request +extension. If that client continually requests renegotiation, +sending a large OCSP Status Request extension each time, then there will +be unbounded memory growth on the server. This will eventually lead to a +Denial Of Service attack through memory exhaustion. Servers with a +default configuration are vulnerable even if they do not support OCSP. +Builds using the "no-ocsp" build time option are not affected. + +I have also checked other extensions to see if they suffer from a similar +problem but I could not find any other issues. + +CVE-2016-6304 + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz <rsalz@openssl.org> + +Upstream-Status: Backport +CVE: CVE-2016-6304 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ssl/t1_lib.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fbcf2e6..e4b4e27 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + size -= 2; + if (dsize > size) + goto err; ++ ++ /* ++ * We remove any OCSP_RESPIDs from a previous handshake ++ * to prevent unbounded memory growth - CVE-2016-6304 ++ */ ++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, ++ OCSP_RESPID_free); ++ if (dsize > 0) { ++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); ++ if (s->tlsext_ocsp_ids == NULL) { ++ *al = SSL_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } else { ++ s->tlsext_ocsp_ids = NULL; ++ } ++ + while (dsize > 0) { + OCSP_RESPID *id; + int idsize; +@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + OCSP_RESPID_free(id); + goto err; + } +- if (!s->tlsext_ocsp_ids +- && !(s->tlsext_ocsp_ids = +- sk_OCSP_RESPID_new_null())) { +- OCSP_RESPID_free(id); +- *al = SSL_AD_INTERNAL_ERROR; +- return 0; +- } + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { + OCSP_RESPID_free(id); + *al = SSL_AD_INTERNAL_ERROR; +-- +2.7.4 + diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb index 2e42e173a2..a12f59d18a 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2h.bb @@ -47,6 +47,7 @@ SRC_URI += "file://find.pl;subdir=${BP}/util/ \ file://CVE-2016-2182.patch \ file://CVE-2016-6302.patch \ file://CVE-2016-6303.patch \ + file://CVE-2016-6304.patch \ " SRC_URI[md5sum] = "9392e65072ce4b614c1392eefc1f23d0" SRC_URI[sha256sum] = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" |