Avoid a buffer overflow that can be triggered by sending specially crafted

DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL by Juri Aedla. ok deraadt@ beck@
author: jsing <> 2014-06-05 16:53:15 +0000
committer: jsing <> 2014-06-05 16:53:15 +0000
commit: a5eaf8ae8a59227ec7a51920b1562ab92c770aae (patch)
tree: cd83aa9f3f4660d0c8a28f4eca0af3f6a4891618 /src/lib/libssl/d1_both.c
parent: 709e767ee1bae902c542e5d14cba5920b5b85177 (diff)
download: openbsd-a5eaf8ae8a59227ec7a51920b1562ab92c770aae.tar.gz
openbsd-a5eaf8ae8a59227ec7a51920b1562ab92c770aae.tar.bz2
openbsd-a5eaf8ae8a59227ec7a51920b1562ab92c770aae.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 8e2843625b..3674ed6046 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
                memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
                frag->msg_header.frag_len = frag->msg_header.msg_len;
                frag->msg_header.frag_off = 0;
-        } else
+        } else {
                frag = (hm_fragment*)item->data;
+                if (frag->msg_header.msg_len != msg_hdr->msg_len) {
+                        item = NULL;
+                        frag = NULL;
+                        goto err;
+                }
+        }
        /* If message is already reassembled, this must be a
         * retransmit and can be dropped.
author	jsing <>	2014-06-05 16:53:15 +0000
committer	jsing <>	2014-06-05 16:53:15 +0000
commit	a5eaf8ae8a59227ec7a51920b1562ab92c770aae (patch)
tree	cd83aa9f3f4660d0c8a28f4eca0af3f6a4891618 /src/lib/libssl/d1_both.c
parent	709e767ee1bae902c542e5d14cba5920b5b85177 (diff)
download	openbsd-a5eaf8ae8a59227ec7a51920b1562ab92c770aae.tar.gz openbsd-a5eaf8ae8a59227ec7a51920b1562ab92c770aae.tar.bz2 openbsd-a5eaf8ae8a59227ec7a51920b1562ab92c770aae.zip