blob: 5eef0f362c109aadac21ce293d0fc54f9b77a1b5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
From 45fe66b8ba026186aa5d8ef1e0e6010ea74d5c0b Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Sat, 3 Jan 2015 00:54:35 +0000
Subject: [PATCH] Follow on from CVE-2014-3571. This fixes the code that was
the original source of the crash due to p being NULL. Steve's fix prevents
this situation from occuring - however this is by no means obvious by looking
at the code for dtls1_get_record. This fix just makes things look a bit more
sane.
Reviewed-by: Dr Steve Henson <steve@openssl.org>
Upstream-Status: Backport
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
ssl/d1_pkt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index d717260..73ce488 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -676,7 +676,8 @@ again:
* would be dropped unnecessarily.
*/
if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
- *p == SSL3_MT_CLIENT_HELLO) &&
+ s->packet_length > DTLS1_RT_HEADER_LENGTH &&
+ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) &&
!dtls1_record_replay_check(s, bitmap))
{
rr->length = 0;
--
1.9.1
|