The branch OpenSSL_1_1_0-stable has been updated via 1b261954028925c1e2c329928938dacacf0bb6c0 (commit) from 36d2517a97f6020049116492b4d5491d177e629c (commit)
- Log ----------------------------------------------------------------- commit 1b261954028925c1e2c329928938dacacf0bb6c0 Author: Matt Caswell <m...@openssl.org> Date: Fri May 11 10:28:47 2018 +0100 Don't memcpy the contents of an empty fragment In DTLS if we have buffered a fragment for a zero length message (e.g. ServerHelloDone) then, when we unbuffered the fragment, we were attempting to memcpy the contents of the fragment which is zero length and a NULL pointer. This is undefined behaviour. We should check first whether we have a zero length fragment. Fixes a travis issue. [extended tests] Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6224) ----------------------------------------------------------------------- Summary of changes: ssl/statem/statem_dtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c index 6b80620..5b34425 100644 --- a/ssl/statem/statem_dtls.c +++ b/ssl/statem/statem_dtls.c @@ -493,7 +493,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) al = dtls1_preprocess_fragment(s, &frag->msg_header); - if (al == 0) { /* no alert */ + /* al will be 0 if no alert */ + if (al == 0 && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits