diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-06-05 16:53:16 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-06-05 16:53:16 +0000 |
| commit | 9063eaa42ff73cb375b4bb0b78f3720e3033b841 (patch) | |
| tree | c884ef9e707137fb696fc6d0121f281f13fc06f4 /lib/libssl | |
| parent | 13455cd919c71b4229a0e7296a15b208e3e7d908 (diff) | |
Avoid a buffer overflow that can be triggered by sending specially crafted
DTLS fragments.
Fix for CVE-2014-0195, from OpenSSL.
Reported to OpenSSL by Juri Aedla.
ok deraadt@ beck@
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/d1_both.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index 8e2843625b8..3674ed60461 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); frag->msg_header.frag_len = frag->msg_header.msg_len; frag->msg_header.frag_off = 0; - } else + } else { frag = (hm_fragment*)item->data; + if (frag->msg_header.msg_len != msg_hdr->msg_len) { + item = NULL; + frag = NULL; + goto err; + } + } /* If message is already reassembled, this must be a * retransmit and can be dropped. |