diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-06-05 17:53:03 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-06-05 17:53:03 +0000 |
| commit | 6d8c82e7cb06fc71acce3075a45200ba07c0cc66 (patch) | |
| tree | 70b227c47c55ed428cf103a0074d95836438d968 /lib/libssl | |
| parent | b5e818913cca23518ef1c97ac5154ac0313c9f83 (diff) | |
Do not recurse when a 'Hello Request' message is received while getting
DTLS fragments. A stream of 'Hello Request' messages will result in
infinite recursion, eventually crashing the DTLS client or server.
Fixes CVE-2014-0221, from OpenSSL.
Reported to OpenSSL by Imre Rad.
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/d1_both.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 3674ed60461..66250556451 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -743,6 +743,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) int i, al; struct hm_header_st msg_hdr; +again: /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { if (*ok) @@ -801,7 +802,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) s->msg_callback_arg); s->init_num = 0; - return dtls1_get_message_fragment(s, st1, stn, max, ok); + goto again; } else /* Incorrectly formated Hello request */ { |