summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsthen <>2014-06-05 20:39:10 +0000
committersthen <>2014-06-05 20:39:10 +0000
commit3041d573373b96f84209a8cfd4306fb3276dc24a (patch)
treef54c27ecfbdb54684147eadac86ff096cd171d53
parent0c8830ddfc25774ee426618123fe07d7c8e136e7 (diff)
downloadopenbsd-3041d573373b96f84209a8cfd4306fb3276dc24a.tar.gz
openbsd-3041d573373b96f84209a8cfd4306fb3276dc24a.tar.bz2
openbsd-3041d573373b96f84209a8cfd4306fb3276dc24a.zip
MFC DTLS buffer overflow fix (CVE-2014-0195)
"Avoid a buffer overflow that can be triggered by sending specially crafted DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL by Juri Aedla." From d1_both.c r1.19
-rw-r--r--src/lib/libssl/src/ssl/d1_both.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index 368bf44d7b..0e0afd38be 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -619,8 +619,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
619 frag->msg_header.frag_len = frag->msg_header.msg_len; 619 frag->msg_header.frag_len = frag->msg_header.msg_len;
620 frag->msg_header.frag_off = 0; 620 frag->msg_header.frag_off = 0;
621 } 621 }
622 else 622 else {
623 frag = (hm_fragment*) item->data; 623 frag = (hm_fragment*) item->data;
624 if (frag->msg_header.msg_len != msg_hdr->msg_len) {
625 item = NULL;
626 frag = NULL;
627 goto err;
628 }
629 }
624 630
625 /* If message is already reassembled, this must be a 631 /* If message is already reassembled, this must be a
626 * retransmit and can be dropped. 632 * retransmit and can be dropped.