[OpenSSL-1.0.2] CVE-2024-5535 SSL_select_next_proto buffer overread

Takehiko NOZAKI reporter

changed status to resolved

BUGFIX: Issue ~~#401~~ - CVE-2024-5535 SSL_select_next_proto buffer overread

cherry picked from https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c modified by me

original commit message:

Fix SSL_select_next_proto

Ensure that the provided client list is non-NULL and starts with a valid entry. When called from the ALPN callback the client list should already have been validated by OpenSSL so this should not cause a problem. When called from the NPN callback the client list is locally configured and will not have already been validated. Therefore SSL_select_next_proto should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Neil Horman nhorman@openssl.org Reviewed-by: Tomas Mraz tomas@openssl.org (Merged from https://github.com/openssl/openssl/pull/24718)

(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37)

→ <<cset 5a69132fde20>>

2024-07-03T22:25:37+00:00

Comments (1)

Takehiko NOZAKI reporter
- changed status to resolved
BUGFIX: Issue ~~#401~~ - CVE-2024-5535 SSL_select_next_proto buffer overread

cherry picked from https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c modified by me

original commit message:

Fix SSL_select_next_proto

Ensure that the provided client list is non-NULL and starts with a valid entry. When called from the ALPN callback the client list should already have been validated by OpenSSL so this should not cause a problem. When called from the NPN callback the client list is locally configured and will not have already been validated. Therefore SSL_select_next_proto should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Neil Horman nhorman@openssl.org Reviewed-by: Tomas Mraz tomas@openssl.org (Merged from https://github.com/openssl/openssl/pull/24718)

(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37)

→ <<cset 5a69132fde20>>
- 2024-07-03T22:25:37+00:00
Log in to comment