diff options
| author | sthen <> | 2014-06-05 20:16:57 +0000 |
|---|---|---|
| committer | sthen <> | 2014-06-05 20:16:57 +0000 |
| commit | 6052fd1003ae90e7a6ec4b51688f8817c9e4221d (patch) | |
| tree | 80ba64fad0f31fe8e5443e6ab034ac88b2448f2f | |
| parent | 2c69ba1586afb1f474d34f169579b728e9ace142 (diff) | |
| download | openbsd-6052fd1003ae90e7a6ec4b51688f8817c9e4221d.tar.gz openbsd-6052fd1003ae90e7a6ec4b51688f8817c9e4221d.tar.bz2 openbsd-6052fd1003ae90e7a6ec4b51688f8817c9e4221d.zip | |
MFC DTLS buffer overflow fix (CVE-2014-0195)
"Avoid a buffer overflow that can be triggered by sending specially crafted
DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL
by Juri Aedla." From d1_both.c r1.19
| -rw-r--r-- | src/lib/libssl/src/ssl/d1_both.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 94ff9a2d14..5cbc0c6a44 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c | |||
| @@ -626,8 +626,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | |||
| 626 | frag->msg_header.frag_len = frag->msg_header.msg_len; | 626 | frag->msg_header.frag_len = frag->msg_header.msg_len; |
| 627 | frag->msg_header.frag_off = 0; | 627 | frag->msg_header.frag_off = 0; |
| 628 | } | 628 | } |
| 629 | else | 629 | else { |
| 630 | frag = (hm_fragment*) item->data; | 630 | frag = (hm_fragment*) item->data; |
| 631 | if (frag->msg_header.msg_len != msg_hdr->msg_len) { | ||
| 632 | item = NULL; | ||
| 633 | frag = NULL; | ||
| 634 | goto err; | ||
| 635 | } | ||
| 636 | } | ||
| 631 | 637 | ||
| 632 | /* If message is already reassembled, this must be a | 638 | /* If message is already reassembled, this must be a |
| 633 | * retransmit and can be dropped. | 639 | * retransmit and can be dropped. |