git.ipfire.org Git - thirdparty/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Fri, 31 May 2024 10:14:33 +0000 (11:14 +0100)
committer	Matt Caswell <matt@openssl.org>
	Thu, 27 Jun 2024 09:37:54 +0000 (10:37 +0100)
commit	4ada436a1946cbb24db5ab4ca082b69c1bc10f37
tree	a03114f409f7225ac4037b27b0c6b4c664d17bdb	tree \| snapshot
parent	93991bf3de4910f7be02c8aa55923e9331761a80	commit \| diff

Fix SSL_select_next_proto

Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)