Do not recurse when a 'Hello Request' message is received while getting

DTLS fragments. A stream of 'Hello Request' messages will result in
infinite recursion, eventually crashing the DTLS client or server.

Fixes CVE-2014-0221, from OpenSSL.

Reported to OpenSSL by Imre Rad.

1 files changed, 2 insertions, 1 deletions

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 3674ed6046..6625055645 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -743,6 +743,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
         int i, al;
         struct hm_header_st msg_hdr;
 
+again:
         /* see if we have the required fragment already */
         if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
                 if (*ok)
@@ -801,7 +802,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
                                     s->msg_callback_arg);
 
                         s->init_num = 0;
-                        return dtls1_get_message_fragment(s, st1, stn, max, ok);
+                        goto again;
                 }
                 else /* Incorrectly formated Hello request */
                 {