Package: gnutls26 / 2.8.6-1+squeeze3

20_CVE-2011-4128.part1.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
From 190cef6eed37d0e73a73c1e205eb31d45ab60a3c Mon Sep 17 00:00:00 2001
From: Alban Crequy <alban.crequy@collabora.co.uk>
Date: Mon, 7 Nov 2011 18:51:27 +0000
Subject: [PATCH] gnutls_session_get_data: fix possible buffer overflow

The test to avoid the buffer overflow was always false because
session_data_size was set at the wrong place. This problem has been introduced
by this commit:

|commit ad4ed44c65e753e6d3a00104c049dd81826ccbf3
|Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|Date:   Mon Nov 7 22:24:48 2005 +0000
|
|    This is the initial commit in the 1.3 branch. Ported from the PSK branch:
|    * PSK ciphersuites have been added.
|    * The session resumption data are now system independent.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
 lib/gnutls_session.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c
index 8028d5a..418a2ba 100644
--- a/lib/gnutls_session.c
+++ b/lib/gnutls_session.c
@@ -63,13 +63,13 @@ gnutls_session_get_data (gnutls_session_t session,
       gnutls_assert ();
       return ret;
     }
-  *session_data_size = psession.size;
 
   if (psession.size > *session_data_size)
     {
       ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
       goto error;
     }
+  *session_data_size = psession.size;
 
   if (session_data != NULL)
     memcpy (session_data, psession.data, psession.size);
-- 
1.7.2.5