Fix CVE-2014-3507, avoid allocating and then leaking a fresh fragment

structure when a zero-length fragment is received.

Based on
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0a4b7d1a2948fce38515b8d862f43e7ba0ebf74

diff by miod@, ok guenther@ bcook@ deraadt@

1 files changed, 7 insertions, 2 deletions

diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c
index fea701107fd..1eda4aef726 100644
--- a/lib/libssl/src/ssl/d1_both.c
+++ b/lib/libssl/src/ssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.27 2014/08/07 20:24:12 guenther Exp $ */
+/* $OpenBSD: d1_both.c,v 1.28 2014/08/08 05:06:56 guenther Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -597,6 +597,11 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	    msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
 		goto err;
 
+	if (frag_len == 0) {
+		i = DTLS1_HM_FRAGMENT_RETRY;
+		goto err;
+	}
+
 	/* Try to find item in queue */
 	memset(seq64be, 0, sizeof(seq64be));
 	seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
@@ -725,7 +730,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 			frag_len -= i;
 		}
 	} else {
-		if (frag_len && frag_len < msg_hdr->msg_len)
+		if (frag_len < msg_hdr->msg_len)
 			return dtls1_reassemble_fragment(s, msg_hdr, ok);
 
 		if (frag_len > dtls1_max_handshake_message_len(s))