generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix for CVE-2014-0195

Browse Source 
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
This commit is contained in:
Dr. Stephen Henson 2014-05-13 18:48:31 +01:00
parent 4b258e73ae
commit 82ba68c42d
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ssl/d1_both.c
View File

@ -621,7 +621,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
frag->msg_header.frag_off = 0;
}
else
{
frag = (hm_fragment*) item->data;
if (frag->msg_header.msg_len != msg_hdr->msg_len)
{
item = NULL;
frag = NULL;
goto err;
}
}
/* If message is already reassembled, this must be a
* retransmit and can be dropped.