aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2009-08-23 14:12:01 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2009-08-23 14:12:01 +0000
commitf8f8fb827d260bb6161b82bb67de04c0a4c9868c (patch)
treea26eccb6e65dd7f2eb671d66c3afbc34b457f864
parentb7421a6928c470446c8bd74218149745b1c1db16 (diff)
downloadsrc-f8f8fb827d260bb6161b82bb67de04c0a4c9868c.tar.gz
src-f8f8fb827d260bb6161b82bb67de04c0a4c9868c.zip
Import DTLS fix from upstream OpenSSL 0.9.8 branch:
Fix fragment handling memory leak. Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1378 Obtained from: OpenSSL CVS http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=196462
-rw-r--r--ssl/d1_both.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 15a201a25cf4..0c863179bc88 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
goto err;
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
+ /* Try to find item in queue, to prevent duplicate entries */
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ item = pqueue_find(s->d1->buffered_messages, seq64);
+ pq_64bit_free(&seq64);
+
+ /* Discard the message if sequence number was already there, is
+ * too far in the future or the fragment is already in the queue */
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
{
unsigned char devnull [256];