generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix for CVE-2014-0195

Browse Source 
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
(cherry picked from commit 1632ef744872edc2aa2a53d487d3e79c965a4ad3)
This commit is contained in:
Dr. Stephen Henson 2014-05-13 18:48:31 +01:00
parent a91be10833
commit 410e444b71
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ssl/d1_both.c
View File

@ -632,7 +632,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
frag->msg_header.frag_off = 0; frag->msg_header.frag_off = 0;
} }
else else
{
frag = (hm_fragment*) item->data; frag = (hm_fragment*) item->data;
if (frag->msg_header.msg_len != msg_hdr->msg_len)
{
item = NULL;
frag = NULL;
goto err;
}
}
/* If message is already reassembled, this must be a /* If message is already reassembled, this must be a
* retransmit and can be dropped. * retransmit and can be dropped.