diff options
| author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2009-08-23 14:12:01 +0000 |
|---|---|---|
| committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2009-08-23 14:12:01 +0000 |
| commit | f8f8fb827d260bb6161b82bb67de04c0a4c9868c (patch) | |
| tree | a26eccb6e65dd7f2eb671d66c3afbc34b457f864 | |
| parent | b7421a6928c470446c8bd74218149745b1c1db16 (diff) | |
| download | src-f8f8fb827d260bb6161b82bb67de04c0a4c9868c.tar.gz src-f8f8fb827d260bb6161b82bb67de04c0a4c9868c.zip | |
Import DTLS fix from upstream OpenSSL 0.9.8 branch:
Fix fragment handling memory leak.
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
Security: CVE-2009-1378
Obtained from: OpenSSL CVS
http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15
Notes
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=196462
| -rw-r--r-- | ssl/d1_both.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 15a201a25cf4..0c863179bc88 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; - if (msg_hdr->seq <= s->d1->handshake_read_seq) + /* Try to find item in queue, to prevent duplicate entries */ + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); + item = pqueue_find(s->d1->buffered_messages, seq64); + pq_64bit_free(&seq64); + + /* Discard the message if sequence number was already there, is + * too far in the future or the fragment is already in the queue */ + if (msg_hdr->seq <= s->d1->handshake_read_seq || + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) { unsigned char devnull [256]; |