Do not recurse when a 'Hello Request' message is received while getting

DTLS fragments. A stream of 'Hello Request' messages will result in
infinite recursion, eventually crashing the DTLS client or server.

Fixes CVE-2014-0221, from OpenSSL.

Reported to OpenSSL by Imre Rad.

2 files changed, 4 insertions, 2 deletions

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 3674ed60461..66250556451 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -743,6 +743,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	int i, al;
 	struct hm_header_st msg_hdr;
 
+again:
 	/* see if we have the required fragment already */
 	if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
 		if (*ok)
@@ -801,7 +802,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 				    s->msg_callback_arg);
 
 			s->init_num = 0;
-			return dtls1_get_message_fragment(s, st1, stn, max, ok);
+			goto again;
 		}
 		else /* Incorrectly formated Hello request */
 		{
diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c
index 3674ed60461..66250556451 100644
--- a/lib/libssl/src/ssl/d1_both.c
+++ b/lib/libssl/src/ssl/d1_both.c
@@ -743,6 +743,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	int i, al;
 	struct hm_header_st msg_hdr;
 
+again:
 	/* see if we have the required fragment already */
 	if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
 		if (*ok)
@@ -801,7 +802,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 				    s->msg_callback_arg);
 
 			s->init_num = 0;
-			return dtls1_get_message_fragment(s, st1, stn, max, ok);
+			goto again;
 		}
 		else /* Incorrectly formated Hello request */
 		{