Module Name: src Committed By: snj Date: Sun Jul 5 14:19:35 UTC 2009
Modified Files: src/crypto/dist/openssl/ssl [netbsd-5-0]: d1_both.c Log Message: Pull up following revision(s) (requested by tonnerre in ticket #850): crypto/dist/openssl/ssl/d1_both.c: revision 1.4 Forgot to commit this last night with the rest of ticket 850. Sigh. "Fix various vulnerabilities in OpenSSL which have not previously been addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387. Changes deal mostly with size checking of various elements and fixes to various error paths." To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.3.8.1 src/crypto/dist/openssl/ssl/d1_both.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/openssl/ssl/d1_both.c diff -u src/crypto/dist/openssl/ssl/d1_both.c:1.3 src/crypto/dist/openssl/ssl/d1_both.c:1.3.8.1 --- src/crypto/dist/openssl/ssl/d1_both.c:1.3 Fri May 9 21:49:42 2008 +++ src/crypto/dist/openssl/ssl/d1_both.c Sun Jul 5 14:19:35 2009 @@ -518,6 +518,7 @@ if ( s->d1->handshake_read_seq == frag->msg_header.seq) { + unsigned long frag_len = frag->msg_header.frag_len; pqueue_pop(s->d1->buffered_messages); al=dtls1_preprocess_fragment(s,&frag->msg_header,max); @@ -535,7 +536,7 @@ if (al==0) { *ok = 1; - return frag->msg_header.frag_len; + return frag_len; } ssl3_send_alert(s,SSL3_AL_FATAL,al); @@ -560,7 +561,16 @@ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; - if (msg_hdr->seq <= s->d1->handshake_read_seq) + /* Try to find item in queue, to prevent duplicate entries */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr->seq>>8); + seq64be[7] = (unsigned char) msg_hdr->seq; + item = pqueue_find(s->d1->buffered_messages, seq64be); + + /* Discard the message if sequence number was already there, is + * too far in the future or the fragment is already in the queue */ + if (msg_hdr->seq <= s->d1->handshake_read_seq || + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) { unsigned char devnull [256]; @@ -574,30 +584,31 @@ } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; + if (frag_len) + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { /* read the body of the fragment (header has already been read */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; - } - memset(seq64be,0,sizeof(seq64be)); - seq64be[6] = (unsigned char)(msg_hdr->seq>>8); - seq64be[7] = (unsigned char)(msg_hdr->seq); + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); - item = pitem_new(seq64be, frag); - if ( item == NULL) - goto err; + item = pitem_new(seq64be, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + } - pqueue_insert(s->d1->buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: