Module Name: src
Committed By: snj
Date: Sun Jul 5 14:19:35 UTC 2009
Modified Files:
src/crypto/dist/openssl/ssl [netbsd-5-0]: d1_both.c
Log Message:
Pull up following revision(s) (requested by tonnerre in ticket #850):
crypto/dist/openssl/ssl/d1_both.c: revision 1.4
Forgot to commit this last night with the rest of ticket 850. Sigh.
"Fix various vulnerabilities in OpenSSL which have not previously been
addressed: CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386
and CVE-2009-1387.
Changes deal mostly with size checking of various elements and fixes
to various error paths."
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.3.8.1 src/crypto/dist/openssl/ssl/d1_both.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/openssl/ssl/d1_both.c
diff -u src/crypto/dist/openssl/ssl/d1_both.c:1.3 src/crypto/dist/openssl/ssl/d1_both.c:1.3.8.1
--- src/crypto/dist/openssl/ssl/d1_both.c:1.3 Fri May 9 21:49:42 2008
+++ src/crypto/dist/openssl/ssl/d1_both.c Sun Jul 5 14:19:35 2009
@@ -518,6 +518,7 @@
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
{
+ unsigned long frag_len = frag->msg_header.frag_len;
pqueue_pop(s->d1->buffered_messages);
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -535,7 +536,7 @@
if (al==0)
{
*ok = 1;
- return frag->msg_header.frag_len;
+ return frag_len;
}
ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -560,7 +561,16 @@
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
goto err;
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
+ /* Try to find item in queue, to prevent duplicate entries */
+ memset(seq64be,0,sizeof(seq64be));
+ seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
+ seq64be[7] = (unsigned char) msg_hdr->seq;
+ item = pqueue_find(s->d1->buffered_messages, seq64be);
+
+ /* Discard the message if sequence number was already there, is
+ * too far in the future or the fragment is already in the queue */
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
{
unsigned char devnull [256];
@@ -574,30 +584,31 @@
}
}
- frag = dtls1_hm_fragment_new(frag_len);
- if ( frag == NULL)
- goto err;
+ if (frag_len)
+ {
+ frag = dtls1_hm_fragment_new(frag_len);
+ if ( frag == NULL)
+ goto err;
- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
- if (frag_len)
- {
/* read the body of the fragment (header has already been read */
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
frag->fragment,frag_len,0);
if (i<=0 || (unsigned long)i!=frag_len)
goto err;
- }
- memset(seq64be,0,sizeof(seq64be));
- seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
- seq64be[7] = (unsigned char)(msg_hdr->seq);
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
- item = pitem_new(seq64be, frag);
- if ( item == NULL)
- goto err;
+ item = pitem_new(seq64be, frag);
+ pq_64bit_free(&seq64);
+ if ( item == NULL)
+ goto err;
+
+ pqueue_insert(s->d1->buffered_messages, item);
+ }
- pqueue_insert(s->d1->buffered_messages, item);
return DTLS1_HM_FRAGMENT_RETRY;
err:
