gnutls/patches/05-cve-2013-2116.patch

Source:
http://www.gnutls.org/security.html
Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116
The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS
2.12.23 allows remote attackers to cause a denial of service (buffer over-read
and crash) via a crafted padding length. NOTE: this might be due to an
incorrect fix for CVE-2013-0169.
Status:
Need to determine if this patch has been sent upstream.

--- gnutls-2.8.6/lib/gnutls_cipher.c.orig   2013-06-04 12:03:39.812680465 +0530
+++ gnutls-2.8.6/lib/gnutls_cipher.c    2013-06-04 12:02:56.766612394 +0530
@@ -554,6 +554,8 @@ _gnutls_ciphertext2compressed (gnutls_se
    }

       pad = ciphertext.data[ciphertext.size - 1];   /* pad */
+      if (pad+1 > ciphertext.size-hash_size)
+        pad_failed = GNUTLS_E_DECRYPTION_FAILED;

       /* Check the pading bytes (TLS 1.x).
        * Note that we access all 256 bytes of ciphertext for padding check