1--- openssl-1.0.0.orig/ssl/t1_lib.c 15 Jun 2010 17:25:15 -0000 1.64.2.14 2+++ openssl-1.0.0/ssl/t1_lib.c 15 Nov 2010 15:26:19 -0000 3@@ -714,14 +714,23 @@ 4 switch (servname_type) 5 { 6 case TLSEXT_NAMETYPE_host_name: 7- if (s->session->tlsext_hostname == NULL) 8+ if (!s->hit) 9 { 10- if (len > TLSEXT_MAXLEN_host_name || 11- ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) 12+ if(s->session->tlsext_hostname) 13+ { 14+ *al = SSL_AD_DECODE_ERROR; 15+ return 0; 16+ } 17+ if (len > TLSEXT_MAXLEN_host_name) 18 { 19 *al = TLS1_AD_UNRECOGNIZED_NAME; 20 return 0; 21 } 22+ if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) 23+ { 24+ *al = TLS1_AD_INTERNAL_ERROR; 25+ return 0; 26+ } 27 memcpy(s->session->tlsext_hostname, sdata, len); 28 s->session->tlsext_hostname[len]='\0'; 29 if (strlen(s->session->tlsext_hostname) != len) { 30@@ -734,7 +743,8 @@ 31 32 } 33 else 34- s->servername_done = strlen(s->session->tlsext_hostname) == len 35+ s->servername_done = s->session->tlsext_hostname 36+ && strlen(s->session->tlsext_hostname) == len 37 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 38 39 break; 40@@ -765,15 +775,22 @@ 41 *al = TLS1_AD_DECODE_ERROR; 42 return 0; 43 } 44- s->session->tlsext_ecpointformatlist_length = 0; 45- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); 46- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 47+ if (!s->hit) 48 { 49- *al = TLS1_AD_INTERNAL_ERROR; 50- return 0; 51+ if(s->session->tlsext_ecpointformatlist) 52+ { 53+ *al = TLS1_AD_DECODE_ERROR; 54+ return 0; 55+ } 56+ s->session->tlsext_ecpointformatlist_length = 0; 57+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) 58+ { 59+ *al = TLS1_AD_INTERNAL_ERROR; 60+ return 0; 61+ } 62+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 63+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 64 } 65- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; 66- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); 67 #if 0 68 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); 69 sdata = s->session->tlsext_ecpointformatlist; 70@@ -794,15 +811,22 @@ 71 *al = TLS1_AD_DECODE_ERROR; 72 return 0; 73 } 74- s->session->tlsext_ellipticcurvelist_length = 0; 75- if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); 76- if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 77+ if (!s->hit) 78 { 79- *al = TLS1_AD_INTERNAL_ERROR; 80- return 0; 81+ if(s->session->tlsext_ellipticcurvelist) 82+ { 83+ *al = TLS1_AD_DECODE_ERROR; 84+ return 0; 85+ } 86+ s->session->tlsext_ellipticcurvelist_length = 0; 87+ if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) 88+ { 89+ *al = TLS1_AD_INTERNAL_ERROR; 90+ return 0; 91+ } 92+ s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 93+ memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 94 } 95- s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; 96- memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); 97 #if 0 98 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); 99 sdata = s->session->tlsext_ellipticcurvelist; 100