commit 43c3b28ca6d22f51951e2bd563df039a9f4289ab
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Oct 17 12:42:11 2014 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Fri Oct 17 12:42:11 2014 +0200
tree 2b95fe6b2fb956adfa5a53ffd0150cd32dce7da5
parent 5d8618539f8e186c1b2c1b5a548d6f85936fe41f

Fix memory leak with crafted ClientHello

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 84420b9..571cb3b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,9 @@
    * Remotely-triggerable memory leak when parsing some X.509 certificates
      (server is not affected if it doesn't ask for a client certificate).
      (Found using Codenomicon Defensics.)
+   * Remotely-triggerable memory leak when parsing crafted ClientHello
+     (not affected is ECC support was compiled out).
+     (Found using Codenomicon Defensics.)
 
 Bugfix
    * Support escaping of commas in x509_string_to_names()

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 6cce2ef9..01b0aca 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -528,6 +528,13 @@
         return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
     }
 
+    /* Should never happen unless client duplicates the extension */
+    if( ssl->handshake->curves != NULL )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
     /* Don't allow our peer to make us allocate too much memory,
      * and leave room for a final 0 */
     our_size = list_size / 2 + 1;