From e08094e604caf1fceb1fba7a4cae0f1937ffe7ef Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 23 Sep 2016 23:16:30 -0700 Subject: openssl: Security fix CVE-2016-6304 affects openssl < 1.0.1i (From OE-Core rev: ae1db7aea891978e42e5205d2ffc93c16703134c) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../openssl/openssl/CVE-2016-6304.patch | 75 ++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch (limited to 'meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch') diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch new file mode 100644 index 0000000000..64508b57c2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-6304.patch @@ -0,0 +1,75 @@ +From ea39b16b71e4e72a228a4535bd6d6a02c5edbc1f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 9 Sep 2016 10:08:45 +0100 +Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth + +A malicious client can send an excessively large OCSP Status Request +extension. If that client continually requests renegotiation, +sending a large OCSP Status Request extension each time, then there will +be unbounded memory growth on the server. This will eventually lead to a +Denial Of Service attack through memory exhaustion. Servers with a +default configuration are vulnerable even if they do not support OCSP. +Builds using the "no-ocsp" build time option are not affected. + +I have also checked other extensions to see if they suffer from a similar +problem but I could not find any other issues. + +CVE-2016-6304 + +Issue reported by Shi Lei. + +Reviewed-by: Rich Salz + +Upstream-Status: Backport +CVE: CVE-2016-6304 +Signed-off-by: Armin Kuster + +--- + ssl/t1_lib.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fbcf2e6..e4b4e27 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -2316,6 +2316,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + size -= 2; + if (dsize > size) + goto err; ++ ++ /* ++ * We remove any OCSP_RESPIDs from a previous handshake ++ * to prevent unbounded memory growth - CVE-2016-6304 ++ */ ++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, ++ OCSP_RESPID_free); ++ if (dsize > 0) { ++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); ++ if (s->tlsext_ocsp_ids == NULL) { ++ *al = SSL_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ } else { ++ s->tlsext_ocsp_ids = NULL; ++ } ++ + while (dsize > 0) { + OCSP_RESPID *id; + int idsize; +@@ -2335,13 +2352,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + OCSP_RESPID_free(id); + goto err; + } +- if (!s->tlsext_ocsp_ids +- && !(s->tlsext_ocsp_ids = +- sk_OCSP_RESPID_new_null())) { +- OCSP_RESPID_free(id); +- *al = SSL_AD_INTERNAL_ERROR; +- return 0; +- } + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { + OCSP_RESPID_free(id); + *al = SSL_AD_INTERNAL_ERROR; +-- +2.7.4 + -- cgit v1.2.3-54-g00ecf