From: Date: January 24 2008 12:08pm
Subject: bk commit into 5.1 tree (tomas:1.2658) BUG#33814
List-Archive: http://lists.mysql.com/commits/41199
X-Bug: 33814
Message-Id: <20080124110810.35C8F181EDA24@linux.local>

Below is the list of changes that have just been committed into a local
5.1 repository of tomas.  When tomas does a push these changes
will be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2008-01-24 12:08:04+01:00, tomas@stripped +3 -0
  Bug#33814 - yassl problems
  (recommit)

  extra/yassl/src/handshake.cpp@stripped, 2008-01-24 12:08:01+01:00, tomas@stripped +5 -0
    Bug#33814 - yassl problems
    (recommit)

  extra/yassl/src/template_instnt.cpp@stripped, 2008-01-24 12:08:01+01:00, tomas@stripped +1 -0
    new template instantiation (recommit)

  extra/yassl/src/yassl_imp.cpp@stripped, 2008-01-24 12:08:01+01:00, tomas@stripped +10 -1
    Bug#33814 - yassl problems
    (recommit)

diff -Nrup a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp
--- a/extra/yassl/src/handshake.cpp	2007-08-28 09:57:52 +02:00
+++ b/extra/yassl/src/handshake.cpp	2008-01-24 12:08:01 +01:00
@@ -527,6 +527,11 @@ void ProcessOldClientHello(input_buffer&
     input.read(len, sizeof(len));
     uint16 randomLen;
     ato16(len, randomLen);
+    if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
+        randomLen > RAN_LEN) {
+        ssl.SetError(bad_input);
+        return;
+    }
 
     int j = 0;
     for (uint16 i = 0; i < ch.suite_len_; i += 3) {    
diff -Nrup a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp
--- a/extra/yassl/src/template_instnt.cpp	2007-01-29 17:54:36 +01:00
+++ b/extra/yassl/src/template_instnt.cpp	2008-01-24 12:08:01 +01:00
@@ -101,6 +101,7 @@ template void ysArrayDelete<unsigned cha
 template void ysArrayDelete<char>(char*);
 
 template int min<int>(int, int);
+template uint16 min<uint16>(uint16, uint16);
 template unsigned int min<unsigned int>(unsigned int, unsigned int);
 template unsigned long min<unsigned long>(unsigned long, unsigned long);
 }
diff -Nrup a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
--- a/extra/yassl/src/yassl_imp.cpp	2007-01-29 17:54:36 +01:00
+++ b/extra/yassl/src/yassl_imp.cpp	2008-01-24 12:08:01 +01:00
@@ -621,6 +621,10 @@ void HandShakeHeader::Process(input_buff
     }
 
     uint len = c24to32(length_);
+    if (len > input.get_remaining()) {
+        ssl.SetError(bad_input);
+        return;
+    }
     hashHandShake(ssl, input, len);
 
     hs->set_length(len);
@@ -1391,10 +1395,15 @@ input_buffer& operator>>(input_buffer& i
     
     // Suites
     byte tmp[2];
+    uint16 len;
     tmp[0] = input[AUTO];
     tmp[1] = input[AUTO];
-    ato16(tmp, hello.suite_len_);
+    ato16(tmp, len);
+
+    hello.suite_len_ = min(len, static_cast<uint16>(MAX_SUITE_SZ));
     input.read(hello.cipher_suites_, hello.suite_len_);
+    if (len > hello.suite_len_) // ignore extra suites
+        input.set_current(input.get_current() + len -  hello.suite_len_);
 
     // Compression
     hello.comp_len_ = input[AUTO];