OpenSSL 1.0.1e In the function dtls1_get_record the pointer p is initialized to NULL at function entry. Later the pointer may be initialized inside an if statement. The pointer is later dereferenced, w/o null check, resulting in a segfault.
In our product this only happens when OpenSSL is in FIPS mode.
I have supplied a simple patch that solves the problem on my test machines.
Best regards,
Fredrik Jansson
"Pseudo code"
unsigned char *p = NULL;
...
if ( (s->rstate != SSL_ST_READ_BODY) ||
(s->packet_length < DTLS1_RT_HEADER_LENGTH))
{
...
p = s->packet;
...
}
...
if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
*p == SSL3_MT_CLIENT_HELLO) &&
!dtls1_record_replay_check(s, bitmap)) { ... }
d1_pkt.patch
Description: Binary data
