summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCatalin Popeanga <Catalin.Popeanga@enea.com>2014-10-15 15:25:34 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 18:19:35 (GMT)
commit7acaea28f48b875d701d92f3222ec1995ceda1c3 (patch)
treef1fc42d8e2cb08ee930efffe05744c1300ed057a
parent5862d3229bf1722ab8d3e848ef041240f3580f74 (diff)
downloadpoky-7acaea28f48b875d701d92f3222ec1995ceda1c3.tar.gz
Fix CVE-2014-3513
Fix for SRTP Memory Leak This patch is a backport from OpenSSL_1.0.1j. Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
-rw-r--r--meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch210
-rw-r--r--meta/recipes-connectivity/openssl/openssl_1.0.1g.bb1
2 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch
new file mode 100644
index 0000000..1415d56
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/openssl-fix-CVE-2014-3513.patch
@@ -0,0 +1,210 @@
1From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
2From: Matt Caswell <matt@openssl.org>
3Date: Wed, 15 Oct 2014 01:20:38 +0100
4Subject: [PATCH] Fix for SRTP Memory Leak
5
6CVE-2014-3513
7
8This issue was reported to OpenSSL on 26th September 2014, based on an origi
9issue and patch developed by the LibreSSL project. Further analysis of the i
10was performed by the OpenSSL team.
11
12The fix was developed by the OpenSSL team.
13
14Reviewed-by: Tim Hudson <tjh@openssl.org>
15---
16 ssl/d1_srtp.c | 93 +++++++++++++++++++--------------------------------------
17 ssl/t1_lib.c | 9 +++---
18 2 files changed, 36 insertions(+), 66 deletions(-)
19
20diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
21index ab9c419..535539b 100644
22--- a/ssl/d1_srtp.c
23+++ b/ssl/d1_srtp.c
24@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
25 return 1;
26 }
27
28-static int find_profile_by_num(unsigned profile_num,
29- SRTP_PROTECTION_PROFILE **pptr)
30- {
31- SRTP_PROTECTION_PROFILE *p;
32-
33- p=srtp_known_profiles;
34- while(p->name)
35- {
36- if(p->id == profile_num)
37- {
38- *pptr=p;
39- return 0;
40- }
41- p++;
42- }
43-
44- return 1;
45- }
46-
47 static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
48 {
49 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
50@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
51 if(!find_profile_by_name(ptr,&p,
52 col ? col-ptr : (int)strlen(ptr)))
53 {
54+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
55+ {
56+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
57+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
58+ return 1;
59+ }
60+
61 sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
62 }
63 else
64 {
65 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
66+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
67 return 1;
68 }
69
70@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
71
72 int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
73 {
74- SRTP_PROTECTION_PROFILE *cprof,*sprof;
75- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
76+ SRTP_PROTECTION_PROFILE *sprof;
77+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
78 int ct;
79 int mki_len;
80- int i,j;
81- int id;
82- int ret;
83+ int i, srtp_pref;
84+ unsigned int id;
85
86 /* Length value + the MKI length */
87 if(len < 3)
88@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
89 return 1;
90 }
91
92+ srvr=SSL_get_srtp_profiles(s);
93+ s->srtp_profile = NULL;
94+ /* Search all profiles for a match initially */
95+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
96
97- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
98-
99 while(ct)
100 {
101 n2s(d,id);
102 ct-=2;
103 len-=2;
104
105- if(!find_profile_by_num(id,&cprof))
106+ /*
107+ * Only look for match in profiles of higher preference than
108+ * current match.
109+ * If no profiles have been have been configured then this
110+ * does nothing.
111+ */
112+ for (i = 0; i < srtp_pref; i++)
113 {
114- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
115- }
116- else
117- {
118- ; /* Ignore */
119+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
120+ if (sprof->id == id)
121+ {
122+ s->srtp_profile = sprof;
123+ srtp_pref = i;
124+ break;
125+ }
126 }
127 }
128
129@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
130 return 1;
131 }
132
133- srvr=SSL_get_srtp_profiles(s);
134-
135- /* Pick our most preferred profile. If no profiles have been
136- configured then the outer loop doesn't run
137- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
138- and so we just return without doing anything */
139- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
140- {
141- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
142-
143- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
144- {
145- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
146-
147- if(cprof->id==sprof->id)
148- {
149- s->srtp_profile=sprof;
150- *al=0;
151- ret=0;
152- goto done;
153- }
154- }
155- }
156-
157- ret=0;
158-
159-done:
160- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
161-
162- return ret;
163+ return 0;
164 }
165
166 int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
167diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
168index 022a4fb..12ee3c9 100644
169--- a/ssl/t1_lib.c
170+++ b/ssl/t1_lib.c
171@@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
172 #endif
173
174 #ifndef OPENSSL_NO_SRTP
175- if(SSL_get_srtp_profiles(s))
176+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
177 {
178 int el;
179
180@@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
181 #endif
182
183 #ifndef OPENSSL_NO_SRTP
184- if(s->srtp_profile)
185+ if(SSL_IS_DTLS(s) && s->srtp_profile)
186 {
187 int el;
188
189@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
190
191 /* session ticket processed earlier */
192 #ifndef OPENSSL_NO_SRTP
193- else if (type == TLSEXT_TYPE_use_srtp)
194+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
195+ && type == TLSEXT_TYPE_use_srtp)
196 {
197 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
198 al))
199@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
200 }
201 #endif
202 #ifndef OPENSSL_NO_SRTP
203- else if (type == TLSEXT_TYPE_use_srtp)
204+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
205 {
206 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
207 al))
208--
2091.7.9.5
210
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
index 9bd8ab5..3ec5ddc 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
@@ -44,6 +44,7 @@ SRC_URI += "file://configure-targets.patch \
44 file://0001-Fix-CVE-2014-3470.patch \ 44 file://0001-Fix-CVE-2014-3470.patch \
45 file://run-ptest \ 45 file://run-ptest \
46 file://openssl-fix-CVE-2014-3566.patch \ 46 file://openssl-fix-CVE-2014-3566.patch \
47 file://openssl-fix-CVE-2014-3513.patch \
47 " 48 "
48 49
49SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959" 50SRC_URI[md5sum] = "de62b43dfcd858e66a74bee1c834e959"