Heartbleed Patch

Discussion in 'Tomato Firmware' started by DJF - EasyTomato, Apr 12, 2014.

  1. DJF - EasyTomato

    DJF - EasyTomato Serious Server Member

    Hopefully saves the devs some time

    Code:
    diff --git a/release/src/router/openssl/ssl/d1_both.c b/release/src/router/openssl/ssl/d1_both.c
    index de8bab8..436ab67 100644
    --- a/release/src/router/openssl/ssl/d1_both.c
    +++ b/release/src/router/openssl/ssl/d1_both.c
    @@ -1452,26 +1452,36 @@ dtls1_process_heartbeat(SSL *s)
        unsigned int payload;
        unsigned int padding = 16; /* Use minimum padding */
    
    -    /* Read type and payload length first */
    -    hbtype = *p++;
    -    n2s(p, payload);
    -    pl = p;
    -
        if (s->msg_callback)
            s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
                &s->s3->rrec.data[0], s->s3->rrec.length,
                s, s->msg_callback_arg);
    
    +    /* Read type and payload length first */
    +    if (1 + 2 + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard */
    +    hbtype = *p++;
    +    n2s(p, payload);
    +    if (1 + 2 + payload + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard per RFC 6520 sec. 4 */
    +    pl = p;
    +
        if (hbtype == TLS1_HB_REQUEST)
            {
            unsigned char *buffer, *bp;
    +        unsigned int write_length = 1 /* heartbeat type */ +
    +                       2 /* heartbeat length */ +
    +                       payload + padding;
            int r;
    
    +        if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
    +            return 0;
    +
            /* Allocate memory for the response, size is 1 byte
            * message type, plus 2 bytes payload length, plus
            * payload, plus padding
            */
    -        buffer = OPENSSL_malloc(1 + 2 + payload + padding);
    +        buffer = OPENSSL_malloc(write_length);
            bp = buffer;
    
            /* Enter response type, length and copy payload */
    @@ -1482,11 +1492,11 @@ dtls1_process_heartbeat(SSL *s)
            /* Random padding */
            RAND_pseudo_bytes(bp, padding);
    
    -        r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
    +        r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
    
            if (r >= 0 && s->msg_callback)
                s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
    -                buffer, 3 + payload + padding,
    +                buffer, write_length,
                    s, s->msg_callback_arg);
    
            OPENSSL_free(buffer);
    diff --git a/release/src/router/openssl/ssl/t1_lib.c b/release/src/router/openssl/ssl/t1_lib.c
    index 27c8e34..210b569 100644
    --- a/release/src/router/openssl/ssl/t1_lib.c
    +++ b/release/src/router/openssl/ssl/t1_lib.c
    @@ -2441,16 +2441,20 @@ tls1_process_heartbeat(SSL *s)
        unsigned int payload;
        unsigned int padding = 16; /* Use minimum padding */
    
    -    /* Read type and payload length first */
    -    hbtype = *p++;
    -    n2s(p, payload);
    -    pl = p;
    -
        if (s->msg_callback)
            s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
                &s->s3->rrec.data[0], s->s3->rrec.length,
                s, s->msg_callback_arg);
    
    +    /* Read type and payload length first */
    +    if (1 + 2 + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard */
    +    hbtype = *p++;
    +    n2s(p, payload);
    +    if (1 + 2 + payload + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard per RFC 6520 sec. 4 */
    +    pl = p;
    +
        if (hbtype == TLS1_HB_REQUEST)
            {
            unsigned char *buffer, *bp;
    
     
  2. Jacky444

    Jacky444 LI Guru Member

    Thanks, it does!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice