Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Fixed by adding consistency check for DTLS fragments. Thanks to Jüri Aedla for reporting this issue.
This commit is contained in:
parent
b79e6e3a27
commit
f4e6ed09e4
@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
||||
frag->msg_header.frag_off = 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
frag = (hm_fragment*) item->data;
|
||||
if (frag->msg_header.msg_len != msg_hdr->msg_len)
|
||||
{
|
||||
item = NULL;
|
||||
frag = NULL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* If message is already reassembled, this must be a
|
||||
* retransmit and can be dropped.
|
||||
|
Loading…
x
Reference in New Issue
Block a user