Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam Langley. Reviewed-by: Emilia Käsper <emilia@openssl.org>
This commit is contained in:
Matt Caswell
parent
60be115771
commit
e5861c885f
@ -663,7 +663,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
|||||||
/* read the body of the fragment (header has already been read */
|
/* read the body of the fragment (header has already been read */
|
||||||
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
|
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
|
||||||
frag->fragment + msg_hdr->frag_off,frag_len,0);
|
frag->fragment + msg_hdr->frag_off,frag_len,0);
|
||||||
if (i<=0 || (unsigned long)i!=frag_len)
|
if ((unsigned long)i!=frag_len)
|
||||||
|
i=-1;
|
||||||
|
if (i<=0)
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
|
RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user