components/library/openssl/openssl-1.1/patches/CVE-2024-5535.patch

   1 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
   2 index 8bf2a9f60..f4386d0ba 100644
   3 --- a/ssl/ssl_lib.c
   4 +++ b/ssl/ssl_lib.c
   5 @@ -2737,37 +2737,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
   6                            unsigned int server_len,
   7                            const unsigned char *client, unsigned int client_len)
   8  {
   9 -    unsigned int i, j;
  10 -    const unsigned char *result;
  11 -    int status = OPENSSL_NPN_UNSUPPORTED;
  12 +    PACKET cpkt, csubpkt, spkt, ssubpkt;
  13 +
  14 +    if (!PACKET_buf_init(&cpkt, client, client_len)
  15 +            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
  16 +            || PACKET_remaining(&csubpkt) == 0) {
  17 +        *out = NULL;
  18 +        *outlen = 0;
  19 +        return OPENSSL_NPN_NO_OVERLAP;
  20 +    }
  21 +
  22 +    /*
  23 +     * Set the default opportunistic protocol. Will be overwritten if we find
  24 +     * a match.
  25 +     */
  26 +    *out = (unsigned char *)PACKET_data(&csubpkt);
  27 +    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
  28
  29      /*
  30       * For each protocol in server preference order, see if we support it.
  31       */
  32 -    for (i = 0; i < server_len;) {
  33 -        for (j = 0; j < client_len;) {
  34 -            if (server[i] == client[j] &&
  35 -                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
  36 -                /* We found a match */
  37 -                result = &server[i];
  38 -                status = OPENSSL_NPN_NEGOTIATED;
  39 -                goto found;
  40 +    if (PACKET_buf_init(&spkt, server, server_len)) {
  41 +        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
  42 +            if (PACKET_remaining(&ssubpkt) == 0)
  43 +                continue; /* Invalid - ignore it */
  44 +            if (PACKET_buf_init(&cpkt, client, client_len)) {
  45 +                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
  46 +                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
  47 +                                     PACKET_remaining(&ssubpkt))) {
  48 +                        /* We found a match */
  49 +                        *out = (unsigned char *)PACKET_data(&ssubpkt);
  50 +                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
  51 +                        return OPENSSL_NPN_NEGOTIATED;
  52 +                    }
  53 +                }
  54 +                /* Ignore spurious trailing bytes in the client list */
  55 +            } else {
  56 +                /* This should never happen */
  57 +                return OPENSSL_NPN_NO_OVERLAP;
  58              }
  59 -            j += client[j];
  60 -            j++;
  61          }
  62 -        i += server[i];
  63 -        i++;
  64 +        /* Ignore spurious trailing bytes in the server list */
  65      }
  66
  67 -    /* There's no overlap between our protocols and the server's list. */
  68 -    result = client;
  69 -    status = OPENSSL_NPN_NO_OVERLAP;
  70 -
  71 - found:
  72 -    *out = (unsigned char *)result + 1;
  73 -    *outlen = result[0];
  74 -    return status;
  75 +    /*
  76 +     * There's no overlap between our protocols and the server's list. We use
  77 +     * the default opportunistic protocol selected earlier
  78 +     */
  79 +    return OPENSSL_NPN_NO_OVERLAP;
  80  }
  81
  82  #ifndef OPENSSL_NO_NEXTPROTONEG