Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION

DOPROCESSREPLY() Description: Merge from 5.1 to 5.5
author: Harin Vadodaria <harin.vadodaria@oracle.com> 2012-12-13 10:19:14 +0530
committer: Harin Vadodaria <harin.vadodaria@oracle.com> 2012-12-13 10:19:14 +0530
commit: ff73218be482586766fa2fa38330d68049de4b6d (patch)
tree: 82b567e0c278179afa964f3b48a982d550c52ad8 /extra/yassl/src
parent: fc311cc623193ee936b73f487568ae86f1f9a95c (diff)
parent: cbc9373f363b7fa86562f587a527b6e8d8688a4e (diff)
download: mariadb-git-ff73218be482586766fa2fa38330d68049de4b6d.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
index c1ee61d043e..c7dbaf86071 100644
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl)
 
         while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
             // each message in record, can be more than 1 if not encrypted
-            if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+            if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+                // sanity check for malicious/corrupted/illegal input
+                if (buffer.get_remaining() < hdr.length_) {
+                    ssl.SetError(bad_input);
+                    return 0;
+                }
                 decrypt_message(ssl, buffer, hdr.length_);
+            }
                 
             mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
             if (!msg.get()) {
author	Harin Vadodaria <harin.vadodaria@oracle.com>	2012-12-13 10:19:14 +0530
committer	Harin Vadodaria <harin.vadodaria@oracle.com>	2012-12-13 10:19:14 +0530
commit	ff73218be482586766fa2fa38330d68049de4b6d (patch)
tree	82b567e0c278179afa964f3b48a982d550c52ad8 /extra/yassl/src
parent	fc311cc623193ee936b73f487568ae86f1f9a95c (diff)
parent	cbc9373f363b7fa86562f587a527b6e8d8688a4e (diff)
download	mariadb-git-ff73218be482586766fa2fa38330d68049de4b6d.tar.gz