| commit | 3831173740ebdb35bc9371a3886dcaa1ce0b9227 | [log] [tgz] |
|---|---|---|
| author | Adam Langley <agl@google.com> | Thu Oct 16 19:04:35 2014 -0700 |
| committer | Adam Langley <agl@google.com> | Mon Oct 20 19:05:48 2014 +0000 |
| tree | 79b14df830570ff4a796006081ebfbe90006c938 | |
| parent | 88333ef7d7d47221ede66a2a31626fc426466297 [diff] [blame] |
Fix memory leak when decoding corrupt tickets. This is CVE-2014-3567 from upstream. See https://www.openssl.org/news/secadv_20141015.txt Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815 Reviewed-on: https://boringssl-review.googlesource.com/1970 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a14ce5a..12c67b9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c
@@ -2379,7 +2379,10 @@ HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) + { + EVP_CIPHER_CTX_cleanup(&ctx); return 2; + } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);