37 lines
1008 B
Diff
37 lines
1008 B
Diff
commit 208d54db20d58c9a5e45e856a0650caadd7d9612
|
|
Author: Dr. Stephen Henson <steve@openssl.org>
|
|
Date: Tue May 13 18:48:31 2014 +0100
|
|
|
|
Fix for CVE-2014-0195
|
|
|
|
A buffer overrun attack can be triggered by sending invalid DTLS fragments
|
|
to an OpenSSL DTLS client or server. This is potentially exploitable to
|
|
run arbitrary code on a vulnerable client or server.
|
|
|
|
Fixed by adding consistency check for DTLS fragments.
|
|
|
|
Thanks to Jüri Aedla for reporting this issue.
|
|
|
|
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
|
|
index 2e8cf68..07f67f8 100644
|
|
--- a/ssl/d1_both.c
|
|
+++ b/ssl/d1_both.c
|
|
@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
|
frag->msg_header.frag_off = 0;
|
|
}
|
|
else
|
|
+ {
|
|
frag = (hm_fragment*) item->data;
|
|
+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
|
|
+ {
|
|
+ item = NULL;
|
|
+ frag = NULL;
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
+
|
|
|
|
/* If message is already reassembled, this must be a
|
|
* retransmit and can be dropped.
|
|
|