1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-for-CVE-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-for-CVE-2014-0195.patch
new file mode 100644
index 0000000000..2fae0e88ac
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-for-CVE-2014-0195.patch
@@ -0,0 +1,48 @@
+From 1632ef744872edc2aa2a53d487d3e79c965a4ad3 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 13 May 2014 18:48:31 +0100
+Subject: [PATCH] Fix for CVE-2014-0195
+Upstream-Status: Backport
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+A buffer overrun attack can be triggered by sending invalid DTLS fragments
+to an OpenSSL DTLS client or server. This is potentially exploitable to
+run arbitrary code on a vulnerable client or server.
+Fixed by adding consistency check for DTLS fragments.
+Thanks to Jüri Aedla for reporting this issue.
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ssl/d1_both.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 1bb2e4d..7de9ae4 100644
+--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
+@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+                frag->msg_header.frag_off = 0;
+                }
+        else
+               {
+                frag = (hm_fragment*) item->data;
+               if (frag->msg_header.msg_len != msg_hdr->msg_len)
+                       {
+                       item = NULL;
+                       frag = NULL;
+                       goto err;
+                       }
+               }
+
+ 
+        /* If message is already reassembled, this must be a
+         * retransmit and can be dropped.
+-- 
+1.7.10.4

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-for-CVE-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-for-CVE-2014-0195.patch new file mode 100644 index 0000000000..2fae0e88ac --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Fix-for-CVE-2014-0195.patch
@@ -0,0 +1,48 @@
	1	From 1632ef744872edc2aa2a53d487d3e79c965a4ad3 Mon Sep 17 00:00:00 2001
	2	From: "Dr. Stephen Henson" <steve@openssl.org>
	3	Date: Tue, 13 May 2014 18:48:31 +0100
	4	Subject: [PATCH] Fix for CVE-2014-0195
	5
	6	Upstream-Status: Backport
	7
	8	MIME-Version: 1.0
	9	Content-Type: text/plain; charset=UTF-8
	10	Content-Transfer-Encoding: 8bit
	11
	12	A buffer overrun attack can be triggered by sending invalid DTLS fragments
	13	to an OpenSSL DTLS client or server. This is potentially exploitable to
	14	run arbitrary code on a vulnerable client or server.
	15
	16	Fixed by adding consistency check for DTLS fragments.
	17
	18	Thanks to Jüri Aedla for reporting this issue.
	19
	20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	21	---
	22	ssl/d1_both.c \| 9 +++++++++
	23	1 file changed, 9 insertions(+)
	24
	25	diff --git a/ssl/d1_both.c b/ssl/d1_both.c
	26	index 1bb2e4d..7de9ae4 100644
	27	--- a/ssl/d1_both.c
	28	+++ b/ssl/d1_both.c
	29	@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
	30	frag->msg_header.frag_off = 0;
	31	}
	32	else
	33	+ {
	34	frag = (hm_fragment*) item->data;
	35	+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
	36	+ {
	37	+ item = NULL;
	38	+ frag = NULL;
	39	+ goto err;
	40	+ }
	41	+ }
	42	+
	43
	44	/* If message is already reassembled, this must be a
	45	* retransmit and can be dropped.
	46	--
	47	1.7.10.4
	48