]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b76a6c2) | patch
Fix SSL_select_next_proto
authorMatt Caswell <matt@openssl.org>
Fri, 31 May 2024 10:14:33 +0000 (11:14 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 27 Jun 2024 09:30:51 +0000 (10:30 +0100)
commit2ebbe2d7ca8551c4cb5fbb391ab9af411708090e
tree3ec2b2be51d48278ae3596fba5278e2b0be47ddftree | snapshot
parentb76a6c26a254b4cc428275fc0ced56759dd5088acommit | diff
Fix SSL_select_next_proto

Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24716)
ssl/ssl_lib.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git