2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0221.patch
new file mode 100644
index 0000000000..bf730a8124
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0221.patch
@@ -0,0 +1,38 @@
+commit d30e582446b027868cdabd0994681643682045a4
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date:   Fri May 16 13:00:45 2014 +0100
+    Fix CVE-2014-0221
+    
+    Unnecessary recursion when receiving a DTLS hello request can be used to
+    crash a DTLS client. Fixed by handling DTLS hello request without recursion.
+    
+    Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+Patch borrowed from Fedora
+Upstream-Status: Backport
+Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 07f67f8..4c2fd03 100644
+--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
+@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+        int i,al;
+        struct hm_header_st msg_hdr;
+ 
+       redo:
+        /* see if we have the required fragment already */
+        if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
+                {
+@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+                                        s->msg_callback_arg);
+                        
+                        s->init_num = 0;
+-                       return dtls1_get_message_fragment(s, st1, stn,
+-                               max, ok);
+                       goto redo;
+                        }
+                else /* Incorrectly formated Hello request */
+                        {
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
index 25dc1856c6..738f085059 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -38,6 +38,7 @@ SRC_URI += "file://configure-targets.patch \
            file://CVE-2014-0160.patch \
            file://openssl-1.0.1e-cve-2014-0195.patch \
            file://openssl-1.0.1e-cve-2014-0198.patch \
+            file://openssl-1.0.1e-cve-2014-0221.patch \
           "
 SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0221.patch new file mode 100644 index 0000000000..bf730a8124 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-1.0.1e-cve-2014-0221.patch
@@ -0,0 +1,38 @@
		1	commit d30e582446b027868cdabd0994681643682045a4
		2	Author: Dr. Stephen Henson <steve@openssl.org>
		3	Date: Fri May 16 13:00:45 2014 +0100
		4
		5	Fix CVE-2014-0221
		6
		7	Unnecessary recursion when receiving a DTLS hello request can be used to
		8	crash a DTLS client. Fixed by handling DTLS hello request without recursion.
		9
		10	Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
		11
		12	Patch borrowed from Fedora
		13	Upstream-Status: Backport
		14	Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
		15
		16	diff --git a/ssl/d1_both.c b/ssl/d1_both.c
		17	index 07f67f8..4c2fd03 100644
		18	--- a/ssl/d1_both.c
		19	+++ b/ssl/d1_both.c
		20	@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL s, int st1, int stn, long max, int ok)
		21	int i,al;
		22	struct hm_header_st msg_hdr;
		23
		24	+ redo:
		25	/* see if we have the required fragment already */
		26	if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) \|\| *ok)
		27	{
		28	@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL s, int st1, int stn, long max, int ok)
		29	s->msg_callback_arg);
		30
		31	s->init_num = 0;
		32	- return dtls1_get_message_fragment(s, st1, stn,
		33	- max, ok);
		34	+ goto redo;
		35	}
		36	else /* Incorrectly formated Hello request */
		37	{
		38


diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index 25dc1856c6..738f085059 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
@@ -38,6 +38,7 @@ SRC_URI += "file://configure-targets.patch \
38	file://CVE-2014-0160.patch \	38	file://CVE-2014-0160.patch \
39	file://openssl-1.0.1e-cve-2014-0195.patch \	39	file://openssl-1.0.1e-cve-2014-0195.patch \
40	file://openssl-1.0.1e-cve-2014-0198.patch \	40	file://openssl-1.0.1e-cve-2014-0198.patch \
		41	file://openssl-1.0.1e-cve-2014-0221.patch \
41	"	42	"
42		43
43	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"	44	SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"