]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a6facb1) | patch
Fix SSL_select_next_proto
authorMatt Caswell <matt@openssl.org>
Fri, 31 May 2024 10:14:33 +0000 (11:14 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 27 Jun 2024 09:39:47 +0000 (10:39 +0100)
commitcf6f91f6121f4db167405db2f0de410a456f260c
tree32fa1257f4d576fe087148d00089eb276861b731tree
parenta6facb1042adda2394dc5c98fbceb7625eef141acommit | diff
Fix SSL_select_next_proto

Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.

We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.

CVE-2024-5535

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)

(cherry picked from commit 4ada436a1946cbb24db5ab4ca082b69c1bc10f37)
ssl/ssl_lib.c diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git