From cbc9373f363b7fa86562f587a527b6e8d8688a4e Mon Sep 17 00:00:00 2001
From: Harin Vadodaria <harin.vadodaria@oracle.com>
Date: Thu, 13 Dec 2012 10:17:26 +0530
Subject: Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION              
 DOPROCESSREPLY()

Description: Function DoProcessReply() calls function
             decrypt_message() in a while loop without
             performing a check on available buffer
             space. This can cause buffer overflow and
             crash the server. This patch is fix provided
             by Sawtooth to resolve the issue.
---
 extra/yassl/src/handshake.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'extra/yassl')

diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
index c1ee61d043e..c7dbaf86071 100644
--- a/extra/yassl/src/handshake.cpp
+++ b/extra/yassl/src/handshake.cpp
@@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl)
 
         while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
             // each message in record, can be more than 1 if not encrypted
-            if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+            if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+                // sanity check for malicious/corrupted/illegal input
+                if (buffer.get_remaining() < hdr.length_) {
+                    ssl.SetError(bad_input);
+                    return 0;
+                }
                 decrypt_message(ssl, buffer, hdr.length_);
+            }
                 
             mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
             if (!msg.get()) {
-- 
cgit v1.2.1