ports/134653: [patch][vuxml] security/openssl: fix memory exhaustion in DTLS code

Eygene Ryabinkin rea-fbsd at codelabs.ru
Mon May 18 15:40:04 UTC 2009 

>Number:         134653
>Category:       ports
>Synopsis:       [patch][vuxml] security/openssl: fix memory exhaustion in DTLS code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 18 15:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.2-STABLE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.2-STABLE amd64

>Description:

Two DTLS problems that lead to memory leaks were fixed by OpenSSL
developers; [1], [2].

>How-To-Repeat:

[1] http://rt.openssl.org/Ticket/Display.html?id=1930
[2] http://rt.openssl.org/Ticket/Display.html?id=1931
[3] http://article.gmane.org/gmane.comp.security.oss.general/1769

>Fix:

The following patch brings upstream patches to the FreeBSD port:
--- fix-0.9.8k.diff begins here ---
>From 5f601b8118ae27f33d04142b96c7084b0f93913b Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Mon, 18 May 2009 17:53:10 +0400

Patches were taken directly from the OpenSSL RT bugtracker:
  http://rt.openssl.org/Ticket/Display.html?id=1930
  http://rt.openssl.org/Ticket/Display.html?id=1931

Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
 security/openssl/Makefile                  |    1 +
 security/openssl/files/patch-CVE-2009-1377 |   46 ++++++++++++++++++++++++++++
 security/openssl/files/patch-CVE-2009-1378 |   22 +++++++++++++
 3 files changed, 69 insertions(+), 0 deletions(-)
 create mode 100644 security/openssl/files/patch-CVE-2009-1377
 create mode 100644 security/openssl/files/patch-CVE-2009-1378

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 72c3f4c..65d889d 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	openssl
 PORTVERSION=	0.9.8k
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/%SUBDIR%/ \
 		ftp://ftp.openssl.org/%SUBDIR%/ \
diff --git a/security/openssl/files/patch-CVE-2009-1377 b/security/openssl/files/patch-CVE-2009-1377
new file mode 100644
index 0000000..9d0e941
--- /dev/null
+++ b/security/openssl/files/patch-CVE-2009-1377
@@ -0,0 +1,46 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch
+
+--- crypto/pqueue/pqueue.c	2005-12-20 08:03:10.000000000 +0100
++++ crypto/pqueue/pqueue.c	2009-05-15 16:07:33.000000000 +0200
+@@ -237,3 +237,17 @@
+ 
+ 	return ret;
+ 	}
++
++int
++pqueue_size(pqueue_s *pq)
++{
++	pitem *item = pq->items;
++	int count = 0;
++	
++	while(item != NULL)
++	{
++		count++;
++		item = item->next;
++	}
++	return count;
++}
+
+--- crypto/pqueue/pqueue.h	2005-06-08 00:21:14.000000000 +0200
++++ crypto/pqueue/pqueue.h	2009-05-15 16:07:03.000000000 +0200
+@@ -89,5 +89,6 @@
+ pitem *pqueue_next(piterator *iter);
+ 
+ void   pqueue_print(pqueue pq);
++int	   pqueue_size(pqueue pq);
+ 
+ #endif /* ! HEADER_PQUEUE_H */
+
+--- ssl/d1_pkt.c	2009-04-23 18:32:40.000000000 +0200
++++ ssl/d1_pkt.c	2009-05-15 16:06:23.000000000 +0200
+@@ -207,6 +207,10 @@
+ 	DTLS1_RECORD_DATA *rdata;
+ 	pitem *item;
+ 
++	/* Limit the size of the queue to prevent DOS attacks */
++	if (pqueue_size(queue->q) >= 100)
++		return 0;
++		
+ 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ 	item = pitem_new(priority, rdata);
+ 	if (rdata == NULL || item == NULL)
diff --git a/security/openssl/files/patch-CVE-2009-1378 b/security/openssl/files/patch-CVE-2009-1378
new file mode 100644
index 0000000..9b00d55
--- /dev/null
+++ b/security/openssl/files/patch-CVE-2009-1378
@@ -0,0 +1,22 @@
+Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch
+
+--- ssl/d1_both.c	2009-05-18 09:57:08.000000000 +0200
++++ ssl/d1_both.c	2009-05-18 10:08:51.000000000 +0200
+@@ -561,7 +561,16 @@
+ 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ 		goto err;
+ 
+-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
++	/* Try to find item in queue, to prevent duplicate entries */
++	pq_64bit_init(&seq64);
++	pq_64bit_assign_word(&seq64, msg_hdr->seq);
++	item = pqueue_find(s->d1->buffered_messages, seq64);
++	pq_64bit_free(&seq64);
++	
++	/* Discard the message if sequence number was already there, is
++	 * too far in the future or the fragment is already in the queue */
++	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ 		{
+ 		unsigned char devnull [256];
+ 
-- 
1.6.3.1
--- fix-0.9.8k.diff ends here ---

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="d84b3398-43b0-11de-9b62-0022156e8794">
    <topic>openssl -- Denial of Service in DTLS implementation</topic>
    <affects>
      <package>
        <name>openssl</name>
        <range><ge>0.9.8</ge><lt>0.9.8k_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>OpenSSL developers report on the DTLS unlimited record
        buffer growth:</p>
        <blockquote
          cite="http://rt.openssl.org/Ticket/Display.html?id=1930">
          <p>Records are buffered if they arrive with a future epoch to
          be processed after finishing the corresponding handshake.
          There is currently no limitation to this buffer allowing an
          attacker to perform a DOS attack with sending records with
          future epochs until there is no memory left.</p>
        </blockquote>
        <p>OpenSSL developers report on the DTLS fragment handling memory
        leak:</p>
        <blockquote
          cite="http://rt.openssl.org/Ticket/Display.html?id=1931">
          <p>In dtls1_process_out_of_seq_message() the check if the
          current message is already buffered was missing.  For every new
          message was memory allocated, allowing an attacker to perform
          an denial of service attack with sending out of seq handshake
          messages until there is no memory left.  Additionally every
          future message was buffered, even if the sequence number made
          no sense and would be part of another handshake.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-1377</cvename>
      <cvename>CVE-2009-1378</cvename>
      <url>http://rt.openssl.org/Ticket/Display.html?id=1930</url>
      <url>http://rt.openssl.org/Ticket/Display.html?id=1931</url>
    </references>
    <dates>
      <discovery>2009-05-18</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

The mentioned patches also apply fine to the OpenSSL in HEAD, though
more testing is needed: DTLS client and server from the base system
segfaults badly on most of my attempts.

I am not sure if anyone uses DTLS now, but the bug should be fixed
anyway.

Please, note: if anyone will want to test openssl s_client/s_server with
dtls1, he should manually set MTU value via '-mtu NNNN' -- OpenSSL's MTU
discovery is badly broken on FreeBSD and produces 0xFFFFFFFF as the MTU
value that will be transformed into (-1) and will cause harm :((
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list