1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Heartbleed Patch

Discussion in 'Tomato Firmware' started by DJF - EasyTomato, Apr 12, 2014.

  1. DJF - EasyTomato

    DJF - EasyTomato Serious Server Member

    Hopefully saves the devs some time

    Code:
    diff --git a/release/src/router/openssl/ssl/d1_both.c b/release/src/router/openssl/ssl/d1_both.c
    index de8bab8..436ab67 100644
    --- a/release/src/router/openssl/ssl/d1_both.c
    +++ b/release/src/router/openssl/ssl/d1_both.c
    @@ -1452,26 +1452,36 @@ dtls1_process_heartbeat(SSL *s)
        unsigned int payload;
        unsigned int padding = 16; /* Use minimum padding */
    
    -    /* Read type and payload length first */
    -    hbtype = *p++;
    -    n2s(p, payload);
    -    pl = p;
    -
        if (s->msg_callback)
            s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
                &s->s3->rrec.data[0], s->s3->rrec.length,
                s, s->msg_callback_arg);
    
    +    /* Read type and payload length first */
    +    if (1 + 2 + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard */
    +    hbtype = *p++;
    +    n2s(p, payload);
    +    if (1 + 2 + payload + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard per RFC 6520 sec. 4 */
    +    pl = p;
    +
        if (hbtype == TLS1_HB_REQUEST)
            {
            unsigned char *buffer, *bp;
    +        unsigned int write_length = 1 /* heartbeat type */ +
    +                       2 /* heartbeat length */ +
    +                       payload + padding;
            int r;
    
    +        if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
    +            return 0;
    +
            /* Allocate memory for the response, size is 1 byte
            * message type, plus 2 bytes payload length, plus
            * payload, plus padding
            */
    -        buffer = OPENSSL_malloc(1 + 2 + payload + padding);
    +        buffer = OPENSSL_malloc(write_length);
            bp = buffer;
    
            /* Enter response type, length and copy payload */
    @@ -1482,11 +1492,11 @@ dtls1_process_heartbeat(SSL *s)
            /* Random padding */
            RAND_pseudo_bytes(bp, padding);
    
    -        r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
    +        r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
    
            if (r >= 0 && s->msg_callback)
                s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
    -                buffer, 3 + payload + padding,
    +                buffer, write_length,
                    s, s->msg_callback_arg);
    
            OPENSSL_free(buffer);
    diff --git a/release/src/router/openssl/ssl/t1_lib.c b/release/src/router/openssl/ssl/t1_lib.c
    index 27c8e34..210b569 100644
    --- a/release/src/router/openssl/ssl/t1_lib.c
    +++ b/release/src/router/openssl/ssl/t1_lib.c
    @@ -2441,16 +2441,20 @@ tls1_process_heartbeat(SSL *s)
        unsigned int payload;
        unsigned int padding = 16; /* Use minimum padding */
    
    -    /* Read type and payload length first */
    -    hbtype = *p++;
    -    n2s(p, payload);
    -    pl = p;
    -
        if (s->msg_callback)
            s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
                &s->s3->rrec.data[0], s->s3->rrec.length,
                s, s->msg_callback_arg);
    
    +    /* Read type and payload length first */
    +    if (1 + 2 + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard */
    +    hbtype = *p++;
    +    n2s(p, payload);
    +    if (1 + 2 + payload + 16 > s->s3->rrec.length)
    +        return 0; /* silently discard per RFC 6520 sec. 4 */
    +    pl = p;
    +
        if (hbtype == TLS1_HB_REQUEST)
            {
            unsigned char *buffer, *bp;
    
     
  2. Jacky444

    Jacky444 Addicted to LI Member

    Thanks, it does!
     

Share This Page