diff options
author | sthen <> | 2014-06-05 20:38:42 +0000 |
---|---|---|
committer | sthen <> | 2014-06-05 20:38:42 +0000 |
commit | 0c8830ddfc25774ee426618123fe07d7c8e136e7 (patch) | |
tree | 0ceea64d3290e6b9f6dac8491497f65d6fd0e67c | |
parent | 944844ebbb0c7d2235ec860c2d2b18018890eac5 (diff) | |
download | openbsd-0c8830ddfc25774ee426618123fe07d7c8e136e7.tar.gz openbsd-0c8830ddfc25774ee426618123fe07d7c8e136e7.tar.bz2 openbsd-0c8830ddfc25774ee426618123fe07d7c8e136e7.zip |
MFC DTLS "Hello Request" fix (CVE-2014-0221)
"Do not recurse when a 'Hello Request' message is received while getting
DTLS fragments. A stream of 'Hello Request' messages will result in
infinite recursion, eventually crashing the DTLS client or server.
Fixes CVE-2014-0221, from OpenSSL. Reported to OpenSSL by Imre Rad."
From d1_both.c r1.20
-rw-r--r-- | src/lib/libssl/src/ssl/d1_both.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 436ab67b7a..368bf44d7b 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c | |||
@@ -777,6 +777,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | |||
777 | int i,al; | 777 | int i,al; |
778 | struct hm_header_st msg_hdr; | 778 | struct hm_header_st msg_hdr; |
779 | 779 | ||
780 | again: | ||
780 | /* see if we have the required fragment already */ | 781 | /* see if we have the required fragment already */ |
781 | if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) | 782 | if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) |
782 | { | 783 | { |
@@ -835,8 +836,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | |||
835 | s->msg_callback_arg); | 836 | s->msg_callback_arg); |
836 | 837 | ||
837 | s->init_num = 0; | 838 | s->init_num = 0; |
838 | return dtls1_get_message_fragment(s, st1, stn, | 839 | goto again; |
839 | max, ok); | ||
840 | } | 840 | } |
841 | else /* Incorrectly formated Hello request */ | 841 | else /* Incorrectly formated Hello request */ |
842 | { | 842 | { |