Avoid a buffer overflow that can be triggered by sending specially crafted

DTLS fragments. Fix for CVE-2014-0195, from OpenSSL. Reported to OpenSSL by Juri Aedla. ok deraadt@ beck@
author: jsing <jsing@openbsd.org> 2014-06-05 16:53:15 +0000
committer: jsing <jsing@openbsd.org> 2014-06-05 16:53:15 +0000
commit: 48e47f1764e2bd89adf55fcd559c50c12133d8c9 (patch)
tree: 40b9e632478ed34cbb01993e682d45db1b087685 /lib/libssl/d1_both.c
parent: ssl_sess_cert_new() can return NULL. Fix two cases where the return value (diff)
download: wireguard-openbsd-48e47f1764e2bd89adf55fcd559c50c12133d8c9.tar.xz
wireguard-openbsd-48e47f1764e2bd89adf55fcd559c50c12133d8c9.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 8e2843625b8..3674ed60461 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -586,8 +586,14 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 		memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
 		frag->msg_header.frag_len = frag->msg_header.msg_len;
 		frag->msg_header.frag_off = 0;
-	} else
+	} else {
 		frag = (hm_fragment*)item->data;
+		if (frag->msg_header.msg_len != msg_hdr->msg_len) {
+			item = NULL;
+			frag = NULL;
+			goto err;
+		}
+	}
 
 	/* If message is already reassembled, this must be a
 	 * retransmit and can be dropped.
author	jsing <jsing@openbsd.org>	2014-06-05 16:53:15 +0000
committer	jsing <jsing@openbsd.org>	2014-06-05 16:53:15 +0000
commit	48e47f1764e2bd89adf55fcd559c50c12133d8c9 (patch)
tree	40b9e632478ed34cbb01993e682d45db1b087685 /lib/libssl/d1_both.c
parent	ssl_sess_cert_new() can return NULL. Fix two cases where the return value (diff)
download	wireguard-openbsd-48e47f1764e2bd89adf55fcd559c50c12133d8c9.tar.xz wireguard-openbsd-48e47f1764e2bd89adf55fcd559c50c12133d8c9.zip