diff options
author | sthen <> | 2014-06-05 20:39:10 +0000 |
---|---|---|
committer | sthen <> | 2014-06-05 20:39:10 +0000 |
commit | 3041d573373b96f84209a8cfd4306fb3276dc24a (patch) | |
tree | f54c27ecfbdb54684147eadac86ff096cd171d53 | |
parent | 0c8830ddfc25774ee426618123fe07d7c8e136e7 (diff) | |
download | openbsd-3041d573373b96f84209a8cfd4306fb3276dc24a.tar.gz openbsd-3041d573373b96f84209a8cfd4306fb3276dc24a.tar.bz2 openbsd-3041d573373b96f84209a8cfd4306fb3276dc24a.zip |
MFC DTLS buffer overflow fix (CVE-2014-0195)
"Avoid a buffer overflow that can be triggered by sending specially crafted
DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL
by Juri Aedla." From d1_both.c r1.19
-rw-r--r-- | src/lib/libssl/src/ssl/d1_both.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 368bf44d7b..0e0afd38be 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c | |||
@@ -619,8 +619,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | |||
619 | frag->msg_header.frag_len = frag->msg_header.msg_len; | 619 | frag->msg_header.frag_len = frag->msg_header.msg_len; |
620 | frag->msg_header.frag_off = 0; | 620 | frag->msg_header.frag_off = 0; |
621 | } | 621 | } |
622 | else | 622 | else { |
623 | frag = (hm_fragment*) item->data; | 623 | frag = (hm_fragment*) item->data; |
624 | if (frag->msg_header.msg_len != msg_hdr->msg_len) { | ||
625 | item = NULL; | ||
626 | frag = NULL; | ||
627 | goto err; | ||
628 | } | ||
629 | } | ||
624 | 630 | ||
625 | /* If message is already reassembled, this must be a | 631 | /* If message is already reassembled, this must be a |
626 | * retransmit and can be dropped. | 632 | * retransmit and can be dropped. |