From cdf40bdf9747645f289603813ca763593348e29f Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 5 Jun 2014 17:53:02 +0000 Subject: Do not recurse when a 'Hello Request' message is received while getting DTLS fragments. A stream of 'Hello Request' messages will result in infinite recursion, eventually crashing the DTLS client or server. Fixes CVE-2014-0221, from OpenSSL. Reported to OpenSSL by Imre Rad. --- src/lib/libssl/d1_both.c | 3 ++- src/lib/libssl/src/ssl/d1_both.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index 3674ed6046..6625055645 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c @@ -743,6 +743,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) int i, al; struct hm_header_st msg_hdr; +again: /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { if (*ok) @@ -801,7 +802,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) s->msg_callback_arg); s->init_num = 0; - return dtls1_get_message_fragment(s, st1, stn, max, ok); + goto again; } else /* Incorrectly formated Hello request */ { diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 3674ed6046..6625055645 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c @@ -743,6 +743,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) int i, al; struct hm_header_st msg_hdr; +again: /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { if (*ok) @@ -801,7 +802,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) s->msg_callback_arg); s->init_num = 0; - return dtls1_get_message_fragment(s, st1, stn, max, ok); + goto again; } else /* Incorrectly formated Hello request */ { -- cgit v1.2.3-55-g6feb