diff options
| author | Harin Vadodaria <harin.vadodaria@oracle.com> | 2012-12-13 10:19:14 +0530 |
|---|---|---|
| committer | Harin Vadodaria <harin.vadodaria@oracle.com> | 2012-12-13 10:19:14 +0530 |
| commit | ff73218be482586766fa2fa38330d68049de4b6d (patch) | |
| tree | 82b567e0c278179afa964f3b48a982d550c52ad8 | |
| parent | fc311cc623193ee936b73f487568ae86f1f9a95c (diff) | |
| parent | cbc9373f363b7fa86562f587a527b6e8d8688a4e (diff) | |
| download | mariadb-git-ff73218be482586766fa2fa38330d68049de4b6d.tar.gz | |
Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
DOPROCESSREPLY()
Description: Merge from 5.1 to 5.5
| -rw-r--r-- | extra/yassl/src/handshake.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp index c1ee61d043e..c7dbaf86071 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl) while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) { // each message in record, can be more than 1 if not encrypted - if (ssl.getSecurity().get_parms().pending_ == false) // cipher on + if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on + // sanity check for malicious/corrupted/illegal input + if (buffer.get_remaining() < hdr.length_) { + ssl.SetError(bad_input); + return 0; + } decrypt_message(ssl, buffer, hdr.length_); + } mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_)); if (!msg.get()) { |