diff options
| author | jsing <> | 2014-06-05 16:53:15 +0000 |
|---|---|---|
| committer | jsing <> | 2014-06-05 16:53:15 +0000 |
| commit | e559f608e16ce124fe9a533161750610f6d3956b (patch) | |
| tree | cd83aa9f3f4660d0c8a28f4eca0af3f6a4891618 /src | |
| parent | c96d876c2d1f9d3c4c187c531cac4434ff3e905d (diff) | |
| download | openbsd-e559f608e16ce124fe9a533161750610f6d3956b.tar.gz openbsd-e559f608e16ce124fe9a533161750610f6d3956b.tar.bz2 openbsd-e559f608e16ce124fe9a533161750610f6d3956b.zip | |
Avoid a buffer overflow that can be triggered by sending specially crafted
DTLS fragments.
Fix for CVE-2014-0195, from OpenSSL.
Reported to OpenSSL by Juri Aedla.
ok deraadt@ beck@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/d1_both.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/d1_both.c | 8 |
2 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 8e2843625b..3674ed6046 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c | |||
| @@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | |||
| 586 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); | 586 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); |
| 587 | frag->msg_header.frag_len = frag->msg_header.msg_len; | 587 | frag->msg_header.frag_len = frag->msg_header.msg_len; |
| 588 | frag->msg_header.frag_off = 0; | 588 | frag->msg_header.frag_off = 0; |
| 589 | } else | 589 | } else { |
| 590 | frag = (hm_fragment*)item->data; | 590 | frag = (hm_fragment*)item->data; |
| 591 | if (frag->msg_header.msg_len != msg_hdr->msg_len) { | ||
| 592 | item = NULL; | ||
| 593 | frag = NULL; | ||
| 594 | goto err; | ||
| 595 | } | ||
| 596 | } | ||
| 591 | 597 | ||
| 592 | /* If message is already reassembled, this must be a | 598 | /* If message is already reassembled, this must be a |
| 593 | * retransmit and can be dropped. | 599 | * retransmit and can be dropped. |
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 8e2843625b..3674ed6046 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c | |||
| @@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | |||
| 586 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); | 586 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); |
| 587 | frag->msg_header.frag_len = frag->msg_header.msg_len; | 587 | frag->msg_header.frag_len = frag->msg_header.msg_len; |
| 588 | frag->msg_header.frag_off = 0; | 588 | frag->msg_header.frag_off = 0; |
| 589 | } else | 589 | } else { |
| 590 | frag = (hm_fragment*)item->data; | 590 | frag = (hm_fragment*)item->data; |
| 591 | if (frag->msg_header.msg_len != msg_hdr->msg_len) { | ||
| 592 | item = NULL; | ||
| 593 | frag = NULL; | ||
| 594 | goto err; | ||
| 595 | } | ||
| 596 | } | ||
| 591 | 597 | ||
| 592 | /* If message is already reassembled, this must be a | 598 | /* If message is already reassembled, this must be a |
| 593 | * retransmit and can be dropped. | 599 | * retransmit and can be dropped. |