svn commit: r196462 - vendor-crypto/openssl/dist/ssl
Simon L. Nielsen
simon at FreeBSD.org
Sun Aug 23 14:12:01 UTC 2009
Author: simon
Date: Sun Aug 23 14:12:01 2009
New Revision: 196462
URL: http://svn.freebsd.org/changeset/base/196462
Log:
Import DTLS fix from upstream OpenSSL 0.9.8 branch:
Fix fragment handling memory leak.
Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.
Security: CVE-2009-1378
Obtained from: OpenSSL CVS
http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15
Modified:
vendor-crypto/openssl/dist/ssl/d1_both.c
Modified: vendor-crypto/openssl/dist/ssl/d1_both.c
==============================================================================
--- vendor-crypto/openssl/dist/ssl/d1_both.c Sun Aug 23 13:58:25 2009 (r196461)
+++ vendor-crypto/openssl/dist/ssl/d1_both.c Sun Aug 23 14:12:01 2009 (r196462)
@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
goto err;
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
+ /* Try to find item in queue, to prevent duplicate entries */
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ item = pqueue_find(s->d1->buffered_messages, seq64);
+ pq_64bit_free(&seq64);
+
+ /* Discard the message if sequence number was already there, is
+ * too far in the future or the fragment is already in the queue */
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
{
unsigned char devnull [256];
More information about the svn-src-all
mailing list