aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2009-08-23 13:58:25 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2009-08-23 13:58:25 +0000
commitb7421a6928c470446c8bd74218149745b1c1db16 (patch)
tree603d4d8f49dabe92b27a4a916cf2ed99f495b99d
parent27de41c0e2f408da6b42112c27b4dad0a07432e0 (diff)
downloadsrc-b7421a6928c470446c8bd74218149745b1c1db16.tar.gz
src-b7421a6928c470446c8bd74218149745b1c1db16.zip
Import DTLS fix from upstream OpenSSL 0.9.8 branch:
Fix memory consumption bug with "future epoch" DTLS records. Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1377 Obtained from: OpenSSL CVS http://cvs.openssl.org/chngview?cn=18187
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=196461
-rw-r--r--crypto/pqueue/pqueue.c14
-rw-r--r--crypto/pqueue/pqueue.h1
-rw-r--r--ssl/d1_pkt.c4
3 files changed, 19 insertions, 0 deletions
diff --git a/crypto/pqueue/pqueue.c b/crypto/pqueue/pqueue.c
index 5cc18527f8da..6c89f06fb105 100644
--- a/crypto/pqueue/pqueue.c
+++ b/crypto/pqueue/pqueue.c
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
return ret;
}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+ pitem *item = pq->items;
+ int count = 0;
+
+ while(item != NULL)
+ {
+ count++;
+ item = item->next;
+ }
+ return count;
+}
diff --git a/crypto/pqueue/pqueue.h b/crypto/pqueue/pqueue.h
index 02386d130e9a..16c4072681c2 100644
--- a/crypto/pqueue/pqueue.h
+++ b/crypto/pqueue/pqueue.h
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
pitem *pqueue_next(piterator *iter);
void pqueue_print(pqueue pq);
+int pqueue_size(pqueue pq);
#endif /* ! HEADER_PQUEUE_H */
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index eb56cf987ba3..4ae9be54ae60 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
DTLS1_RECORD_DATA *rdata;
pitem *item;
+ /* Limit the size of the queue to prevent DOS attacks */
+ if (pqueue_size(queue->q) >= 100)
+ return 0;
+
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
item = pitem_new(priority, rdata);
if (rdata == NULL || item == NULL)