[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r7978 - libmicrohttpd/src/daemon/https/tls
From: |
gnunet |
Subject: |
[GNUnet-SVN] r7978 - libmicrohttpd/src/daemon/https/tls |
Date: |
Sun, 30 Nov 2008 18:41:36 -0700 (MST) |
Author: lv-426
Date: 2008-11-30 18:41:35 -0700 (Sun, 30 Nov 2008)
New Revision: 7978
Modified:
libmicrohttpd/src/daemon/https/tls/ext_server_name.c
Log:
MHD_gtls_server_name_recv_params - address CVE-2008-1948
Modified: libmicrohttpd/src/daemon/https/tls/ext_server_name.c
===================================================================
--- libmicrohttpd/src/daemon/https/tls/ext_server_name.c 2008-11-26
19:09:03 UTC (rev 7977)
+++ libmicrohttpd/src/daemon/https/tls/ext_server_name.c 2008-12-01
01:41:35 UTC (rev 7978)
@@ -48,75 +48,88 @@
ssize_t data_size = _data_size;
int server_names = 0;
- if (session->security_parameters.entity == GNUTLS_SERVER)
+ DECR_LENGTH_RET (data_size, 2, 0);
+ len = MHD_gtls_read_uint16 (data);
+
+ if (len != data_size)
{
- DECR_LENGTH_RET (data_size, 2, 0);
- len = MHD_gtls_read_uint16 (data);
+ /* This is unexpected packet length, but
+ * just ignore it, for now.
+ */
+ MHD_gnutls_assert ();
+ return 0;
+ }
- if (len != data_size)
- {
- /* This is unexpected packet length, but
- * just ignore it, for now.
- */
- MHD_gnutls_assert ();
- return 0;
- }
+ p = data + 2;
- p = data + 2;
+ /* Count all server_names in the packet. */
+ while (data_size > 0)
+ {
+ DECR_LENGTH_RET (data_size, 1, 0);
+ p++;
- /* Count all server_names in the packet. */
- while (data_size > 0)
+ DECR_LEN (data_size, 2);
+ len = MHD_gtls_read_uint16 (p);
+ p += 2;
+
+ /* make sure supplied server name is not empty */
+ if (len > 0)
{
- DECR_LENGTH_RET (data_size, 1, 0);
- p++;
-
- DECR_LEN (data_size, 2);
- len = MHD_gtls_read_uint16 (p);
- p += 2;
-
DECR_LENGTH_RET (data_size, len, 0);
server_names++;
-
p += len;
}
+ else
+ {
+#if HAVE_MESSAGES
+ MHD__gnutls_handshake_log
+ ("HSK[%x]: Received zero size server name (under attack?)\n",
+ session);
+#endif
+ }
+ }
- session->security_parameters.extensions.server_names_size =
- server_names;
- if (server_names == 0)
- return 0; /* no names found */
+ /* we cannot accept more server names. */
+ if (server_names > MAX_SERVER_NAME_EXTENSIONS)
+ {
+#if HAVE_MESSAGES
+ MHD__gnutls_handshake_log
+ ("HSK[%x]: Too many server names received (under attack?)\n",
+ session);
+#endif
+ server_names = MAX_SERVER_NAME_EXTENSIONS;
+ }
- /* we cannot accept more server names.
- */
- if (server_names > MAX_SERVER_NAME_EXTENSIONS)
- server_names = MAX_SERVER_NAME_EXTENSIONS;
+ session->security_parameters.extensions.server_names_size = server_names;
+ if (server_names == 0)
+ return 0; /* no names found */
- p = data + 2;
- for (i = 0; i < server_names; i++)
- {
- type = *p;
- p++;
+ p = data + 2;
+ for (i = 0; i < server_names; i++)
+ {
+ type = *p;
+ p++;
- len = MHD_gtls_read_uint16 (p);
- p += 2;
+ len = MHD_gtls_read_uint16 (p);
+ p += 2;
- switch (type)
+ switch (type)
+ {
+ case 0: /* NAME_DNS */
+ if (len <= MAX_SERVER_NAME_SIZE)
{
- case 0: /* NAME_DNS */
- if (len <= MAX_SERVER_NAME_SIZE)
- {
- memcpy (session->security_parameters.
- extensions.server_names[i].name, p, len);
- session->security_parameters.extensions.server_names[i].
- name_length = len;
- session->security_parameters.extensions.server_names[i].
- type = GNUTLS_NAME_DNS;
- break;
- }
+ memcpy (session->security_parameters.extensions.server_names[i].
+ name, p, len);
+ session->security_parameters.extensions.
+ server_names[i].name_length = len;
+ session->security_parameters.extensions.server_names[i].type =
+ GNUTLS_NAME_DNS;
+ break;
}
+ }
- /* move to next record */
- p += len;
- }
+ /* move to next record */
+ p += len;
}
return 0;
}
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r7978 - libmicrohttpd/src/daemon/https/tls,
gnunet <=