diff options
| author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2009-08-23 14:39:15 +0000 |
|---|---|---|
| committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2009-08-23 14:39:15 +0000 |
| commit | f0c2a617dfb432d01bc5a716eb18dae12e6b45e3 (patch) | |
| tree | 04375894d7f18d6e129dcdd750771164a143db08 | |
| parent | 58c74b7534a4526075de41fd4b24bc769866523a (diff) | |
Import DTLS fix from upstream OpenSSL 0.9.8 branch:vendor/openssl/0.9.8k-dtls-fixes
Fix DTLS fragment bug - out-of-sequence message handling which could
result in NULL pointer dereference in
dtls1_process_out_of_seq_message().
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
Security: CVE-2009-1387
Obtained from: OpenSSL CVS
http://cvs.openssl.org/chngview?cn=17958
Notes
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=196467
svn path=/vendor-crypto/openssl/0.9.8k-dtls-fixes/; revision=196468; tag=vendor/openssl/0.9.8k-dtls-fixes
| -rw-r--r-- | ssl/d1_both.c | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 967d8c542ddb..017719210613 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; + if (frag_len) + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { - /* read the body of the fragment (header has already been read */ + /* read the body of the fragment (header has already been read) */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; - } - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, msg_hdr->seq); + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); - item = pitem_new(seq64, frag); - pq_64bit_free(&seq64); - if ( item == NULL) - goto err; + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + } - pqueue_insert(s->d1->buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: |