summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsthen <>2014-06-05 20:38:42 +0000
committersthen <>2014-06-05 20:38:42 +0000
commit0c8830ddfc25774ee426618123fe07d7c8e136e7 (patch)
tree0ceea64d3290e6b9f6dac8491497f65d6fd0e67c
parent944844ebbb0c7d2235ec860c2d2b18018890eac5 (diff)
downloadopenbsd-0c8830ddfc25774ee426618123fe07d7c8e136e7.tar.gz
openbsd-0c8830ddfc25774ee426618123fe07d7c8e136e7.tar.bz2
openbsd-0c8830ddfc25774ee426618123fe07d7c8e136e7.zip
MFC DTLS "Hello Request" fix (CVE-2014-0221)
"Do not recurse when a 'Hello Request' message is received while getting DTLS fragments. A stream of 'Hello Request' messages will result in infinite recursion, eventually crashing the DTLS client or server. Fixes CVE-2014-0221, from OpenSSL. Reported to OpenSSL by Imre Rad." From d1_both.c r1.20
-rw-r--r--src/lib/libssl/src/ssl/d1_both.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index 436ab67b7a..368bf44d7b 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -777,6 +777,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
777 int i,al; 777 int i,al;
778 struct hm_header_st msg_hdr; 778 struct hm_header_st msg_hdr;
779 779
780again:
780 /* see if we have the required fragment already */ 781 /* see if we have the required fragment already */
781 if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) 782 if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
782 { 783 {
@@ -835,8 +836,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
835 s->msg_callback_arg); 836 s->msg_callback_arg);
836 837
837 s->init_num = 0; 838 s->init_num = 0;
838 return dtls1_get_message_fragment(s, st1, stn, 839 goto again;
839 max, ok);
840 } 840 }
841 else /* Incorrectly formated Hello request */ 841 else /* Incorrectly formated Hello request */
842 { 842 {