diff --git a/ChangeLog b/ChangeLog index 84420b9e6..571cb3ba0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ Security * Remotely-triggerable memory leak when parsing some X.509 certificates (server is not affected if it doesn't ask for a client certificate). (Found using Codenomicon Defensics.) + * Remotely-triggerable memory leak when parsing crafted ClientHello + (not affected is ECC support was compiled out). + (Found using Codenomicon Defensics.) Bugfix * Support escaping of commas in x509_string_to_names() diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 6cce2ef9f..01b0aca20 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -528,6 +528,13 @@ static int ssl_parse_supported_elliptic_curves( ssl_context *ssl, return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } + /* Should never happen unless client duplicates the extension */ + if( ssl->handshake->curves != NULL ) + { + SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + /* Don't allow our peer to make us allocate too much memory, * and leave room for a final 0 */ our_size = list_size / 2 + 1;