summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-06-05 16:53:16 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-06-05 16:53:16 +0000
commit9063eaa42ff73cb375b4bb0b78f3720e3033b841 (patch)
treec884ef9e707137fb696fc6d0121f281f13fc06f4
parent13455cd919c71b4229a0e7296a15b208e3e7d908 (diff)
Avoid a buffer overflow that can be triggered by sending specially crafted
DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL by Juri Aedla. ok deraadt@ beck@
-rw-r--r--lib/libssl/d1_both.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 8e2843625b8..3674ed60461 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
frag->msg_header.frag_len = frag->msg_header.msg_len;
frag->msg_header.frag_off = 0;
- } else
+ } else {
frag = (hm_fragment*)item->data;
+ if (frag->msg_header.msg_len != msg_hdr->msg_len) {
+ item = NULL;
+ frag = NULL;
+ goto err;
+ }
+ }
/* If message is already reassembled, this must be a
* retransmit and can be dropped.