svn commit: r265987 - in releng/10.0: . crypto/openssl/ssl sys/conf sys/dev/ciss

Xin LI delphij at FreeBSD.org
Tue May 13 23:22:29 UTC 2014 

Author: delphij
Date: Tue May 13 23:22:28 2014
New Revision: 265987
URL: http://svnweb.freebsd.org/changeset/base/265987

Log:
  Fix OpenSSL NULL pointer deference vulnerability. [SA-14:09]
  
  Security:	FreeBSD-SA-14:09.openssl
  Security:	CVE-2014-0198
  
  Fix data corruption with ciss(4). [EN-14:05]
  
  Errata:		FreeBSD-EN-14:05.ciss
  
  Approved by:	so

Modified:
  releng/10.0/UPDATING
  releng/10.0/crypto/openssl/ssl/s3_pkt.c
  releng/10.0/sys/conf/newvers.sh
  releng/10.0/sys/dev/ciss/ciss.c

Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING	Tue May 13 23:19:16 2014	(r265986)
+++ releng/10.0/UPDATING	Tue May 13 23:22:28 2014	(r265987)
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20140513:	p3	FreeBSD-SA-14:10.openssl
+			FreeBSD-EN-14:05.ciss
+
+	Fix OpenSSL NULL pointer deference vulnerability. [SA-14:10]
+
+	Fix data corruption with ciss(4). [EN-14:05]
+
 20140430:	p2	FreeBSD-SA-14:07.devfs
 			FreeBSD-SA-14:08.tcp
 			FreeBSD-SA-14:09.openssl

Modified: releng/10.0/crypto/openssl/ssl/s3_pkt.c
==============================================================================
--- releng/10.0/crypto/openssl/ssl/s3_pkt.c	Tue May 13 23:19:16 2014	(r265986)
+++ releng/10.0/crypto/openssl/ssl/s3_pkt.c	Tue May 13 23:22:28 2014	(r265987)
@@ -657,6 +657,10 @@ static int do_ssl3_write(SSL *s, int typ
 		if (i <= 0)
 			return(i);
 		/* if it went, fall through and send more stuff */
+		/* we may have released our buffer, so get it again */
+		if (wb->buf == NULL)
+			if (!ssl3_setup_write_buffer(s))
+				return -1;
 		}
 
 	if (len == 0 && !create_empty_fragment)

Modified: releng/10.0/sys/conf/newvers.sh
==============================================================================
--- releng/10.0/sys/conf/newvers.sh	Tue May 13 23:19:16 2014	(r265986)
+++ releng/10.0/sys/conf/newvers.sh	Tue May 13 23:22:28 2014	(r265987)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.0"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/10.0/sys/dev/ciss/ciss.c
==============================================================================
--- releng/10.0/sys/dev/ciss/ciss.c	Tue May 13 23:19:16 2014	(r265986)
+++ releng/10.0/sys/dev/ciss/ciss.c	Tue May 13 23:22:28 2014	(r265987)
@@ -180,8 +180,6 @@ static int	ciss_cam_emulate(struct ciss_
 static void	ciss_cam_poll(struct cam_sim *sim);
 static void	ciss_cam_complete(struct ciss_request *cr);
 static void	ciss_cam_complete_fixup(struct ciss_softc *sc, struct ccb_scsiio *csio);
-static struct cam_periph *ciss_find_periph(struct ciss_softc *sc,
-					   int bus, int target);
 static int	ciss_name_device(struct ciss_softc *sc, int bus, int target);
 
 /* periodic status monitoring */
@@ -3398,27 +3396,6 @@ ciss_cam_complete_fixup(struct ciss_soft
 
 
 /********************************************************************************
- * Find a peripheral attached at (target)
- */
-static struct cam_periph *
-ciss_find_periph(struct ciss_softc *sc, int bus, int target)
-{
-    struct cam_periph	*periph;
-    struct cam_path	*path;
-    int			status;
-
-    status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]),
-			     target, 0);
-    if (status == CAM_REQ_CMP) {
-	periph = cam_periph_find(path, NULL);
-	xpt_free_path(path);
-    } else {
-	periph = NULL;
-    }
-    return(periph);
-}
-
-/********************************************************************************
  * Name the device at (target)
  *
  * XXX is this strictly correct?
@@ -3427,12 +3404,22 @@ static int
 ciss_name_device(struct ciss_softc *sc, int bus, int target)
 {
     struct cam_periph	*periph;
+    struct cam_path	*path;
+    int			status;
 
     if (CISS_IS_PHYSICAL(bus))
 	return (0);
-    if ((periph = ciss_find_periph(sc, bus, target)) != NULL) {
+
+    status = xpt_create_path(&path, NULL, cam_sim_path(sc->ciss_cam_sim[bus]),
+			     target, 0);
+
+    if (status == CAM_REQ_CMP) {
+    	mtx_lock(&sc->ciss_mtx);
+	periph = cam_periph_find(path, NULL);
 	sprintf(sc->ciss_logical[bus][target].cl_name, "%s%d",
 		periph->periph_name, periph->unit_number);
+    	mtx_unlock(&sc->ciss_mtx);
+	xpt_free_path(path);
 	return(0);
     }
     sc->ciss_logical[bus][target].cl_name[0] = 0;

More information about the svn-src-releng mailing list