This patch changes the behavior of DTLS regarding erroneous record headers. The current implementation reports an error if the version or length entries of the record layer are unexpected and closes the connection. This is probably takes over from TLS but doesn't make sense with DTLS, since an attacker can easily send random data to close the connection. In fact every packet not containing the correct version and length terminates the connection. With this patch such packets are just silently discarded to keep the connection alive.
--- ssl/d1_pkt.c 1 Jul 2009 11:29:01 -0000 1.27.2.10 +++ ssl/d1_pkt.c 3 Jul 2009 13:43:18 -0000 @@ -586,26 +594,27 @@ { if (version != s->version) { - SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - /* Send back error using their - * version number :-) */ - s->version=version; - al=SSL_AD_PROTOCOL_VERSION; - goto f_err; + /* unexpected version, silently discard */ + rr->length = 0; + s->packet_length = 0; + goto again; } } if ((version & 0xff00) != (s->version & 0xff00)) { - SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - goto err; + /* wrong version, silently discard record */ + rr->length = 0; + s->packet_length = 0; + goto again; } if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); - goto f_err; + /* record too long, silently discard it */ + rr->length = 0; + s->packet_length = 0; + goto again; } /* now s->rstate == SSL_ST_READ_BODY */
dtls-record.patch
Description: Binary data