Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/gnutls/patches/03-cve-2011-4128.patch
author Ann Lai <ann.lai@oracle.com>
Fri, 20 Mar 2015 22:56:27 -0700
changeset 4062 f45bb9cec48c
permissions -rw-r--r--
20231912 Move GnuTLS from Desktop to Userland consolidation

Source:
http://www.gnutls.org/security.html
Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128
Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c     
in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client 
that performs nonstandard session resumption, allows remote TLS servers to 
cause a denial of service (application crash) via a large SessionTicket.
Status:
Need to determine if this patch has been sent upstream.

--- gnutls-2.8.6/lib/gnutls_session.c.orig	Fri Apr  6 11:19:30 2012
+++ gnutls-2.8.6/lib/gnutls_session.c	Fri Apr  6 11:19:51 2012
@@ -64,7 +64,6 @@
       gnutls_assert ();
       return ret;
     }
-  *session_data_size = psession.size;
 
   if (psession.size > *session_data_size)
     {
@@ -71,6 +70,7 @@
       ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
       goto error;
     }
+  *session_data_size = psession.size;
 
   if (session_data != NULL)
     memcpy (session_data, psession.data, psession.size);
upstream/oracle/userland-gate