From a5eaf8ae8a59227ec7a51920b1562ab92c770aae Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 5 Jun 2014 16:53:15 +0000
Subject: Avoid a buffer overflow that can be triggered by sending specially
 crafted DTLS fragments.

Fix for CVE-2014-0195, from OpenSSL.

Reported to OpenSSL by Juri Aedla.

ok deraadt@ beck@
---
 src/lib/libssl/d1_both.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/d1_both.c')

diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 8e2843625b..3674ed6046 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
 		frag->msg_header.frag_len = frag->msg_header.msg_len;
 		frag->msg_header.frag_off = 0;
-	} else
+	} else {
 		frag = (hm_fragment*)item->data;
+		if (frag->msg_header.msg_len != msg_hdr->msg_len) {
+			item = NULL;
+			frag = NULL;
+			goto err;
+		}
+	}
 
 	/* If message is already reassembled, this must be a
 	 * retransmit and can be dropped.
-- 
cgit v1.2.3-55-g6feb