mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-19 19:59:43 +00:00
- Security Fix
Security: CVE-2009-1377 Security: CVE-2009-1378 Security: http://article.gmane.org/gmane.comp.security.oss.general/1769 PR: 134653
This commit is contained in:
parent
cbb06659f8
commit
315e28571a
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=234274
@ -7,6 +7,7 @@
|
||||
|
||||
PORTNAME= openssl
|
||||
PORTVERSION= 0.9.8k
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security devel
|
||||
MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \
|
||||
ftp://ftp.openssl.org/%SUBDIR%/ \
|
||||
|
46
security/openssl/files/patch-CVE-2009-1377
Normal file
46
security/openssl/files/patch-CVE-2009-1377
Normal file
@ -0,0 +1,46 @@
|
||||
Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch
|
||||
|
||||
--- crypto/pqueue/pqueue.c 2005-12-20 08:03:10.000000000 +0100
|
||||
+++ crypto/pqueue/pqueue.c 2009-05-15 16:07:33.000000000 +0200
|
||||
@@ -237,3 +237,17 @@
|
||||
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+pqueue_size(pqueue_s *pq)
|
||||
+{
|
||||
+ pitem *item = pq->items;
|
||||
+ int count = 0;
|
||||
+
|
||||
+ while(item != NULL)
|
||||
+ {
|
||||
+ count++;
|
||||
+ item = item->next;
|
||||
+ }
|
||||
+ return count;
|
||||
+}
|
||||
|
||||
--- crypto/pqueue/pqueue.h 2005-06-08 00:21:14.000000000 +0200
|
||||
+++ crypto/pqueue/pqueue.h 2009-05-15 16:07:03.000000000 +0200
|
||||
@@ -89,5 +89,6 @@
|
||||
pitem *pqueue_next(piterator *iter);
|
||||
|
||||
void pqueue_print(pqueue pq);
|
||||
+int pqueue_size(pqueue pq);
|
||||
|
||||
#endif /* ! HEADER_PQUEUE_H */
|
||||
|
||||
--- ssl/d1_pkt.c 2009-04-23 18:32:40.000000000 +0200
|
||||
+++ ssl/d1_pkt.c 2009-05-15 16:06:23.000000000 +0200
|
||||
@@ -207,6 +207,10 @@
|
||||
DTLS1_RECORD_DATA *rdata;
|
||||
pitem *item;
|
||||
|
||||
+ /* Limit the size of the queue to prevent DOS attacks */
|
||||
+ if (pqueue_size(queue->q) >= 100)
|
||||
+ return 0;
|
||||
+
|
||||
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
|
||||
item = pitem_new(priority, rdata);
|
||||
if (rdata == NULL || item == NULL)
|
22
security/openssl/files/patch-CVE-2009-1378
Normal file
22
security/openssl/files/patch-CVE-2009-1378
Normal file
@ -0,0 +1,22 @@
|
||||
Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch
|
||||
|
||||
--- ssl/d1_both.c 2009-05-18 09:57:08.000000000 +0200
|
||||
+++ ssl/d1_both.c 2009-05-18 10:08:51.000000000 +0200
|
||||
@@ -561,7 +561,16 @@
|
||||
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
|
||||
goto err;
|
||||
|
||||
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
|
||||
+ /* Try to find item in queue, to prevent duplicate entries */
|
||||
+ pq_64bit_init(&seq64);
|
||||
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
+ item = pqueue_find(s->d1->buffered_messages, seq64);
|
||||
+ pq_64bit_free(&seq64);
|
||||
+
|
||||
+ /* Discard the message if sequence number was already there, is
|
||||
+ * too far in the future or the fragment is already in the queue */
|
||||
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
|
||||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
|
||||
{
|
||||
unsigned char devnull [256];
|
||||
|
Loading…
Reference in New Issue
Block a user