117 lines
3.4 KiB
Diff
117 lines
3.4 KiB
Diff
diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c
|
|
--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak 2015-01-13 11:44:12.410022377 +0100
|
|
+++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-13 11:50:40.062789458 +0100
|
|
@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
|
/* Limit the size of the queue to prevent DOS attacks */
|
|
if (pqueue_size(queue->q) >= 100)
|
|
return 0;
|
|
-
|
|
+
|
|
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
|
|
item = pitem_new(priority, rdata);
|
|
if (rdata == NULL || item == NULL)
|
|
@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
|
}
|
|
#endif
|
|
|
|
- /* insert should not fail, since duplicates are dropped */
|
|
- if (pqueue_insert(queue->q, item) == NULL)
|
|
- {
|
|
- OPENSSL_free(rdata);
|
|
- pitem_free(item);
|
|
- return(0);
|
|
- }
|
|
-
|
|
s->packet = NULL;
|
|
s->packet_length = 0;
|
|
memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
|
|
@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
|
if (!ssl3_setup_buffers(s))
|
|
{
|
|
SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
|
|
+ if (rdata->rbuf.buf != NULL)
|
|
+ OPENSSL_free(rdata->rbuf.buf);
|
|
OPENSSL_free(rdata);
|
|
pitem_free(item);
|
|
- return(0);
|
|
+ return(-1);
|
|
}
|
|
-
|
|
+
|
|
+ /* insert should not fail, since duplicates are dropped */
|
|
+ if (pqueue_insert(queue->q, item) == NULL)
|
|
+ {
|
|
+ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
|
|
+ if (rdata->rbuf.buf != NULL)
|
|
+ OPENSSL_free(rdata->rbuf.buf);
|
|
+ OPENSSL_free(rdata);
|
|
+ pitem_free(item);
|
|
+ return(-1);
|
|
+ }
|
|
+
|
|
return(1);
|
|
}
|
|
|
|
@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s)
|
|
dtls1_get_unprocessed_record(s);
|
|
if ( ! dtls1_process_record(s))
|
|
return(0);
|
|
- dtls1_buffer_record(s, &(s->d1->processed_rcds),
|
|
- s->s3->rrec.seq_num);
|
|
+ if(dtls1_buffer_record(s, &(s->d1->processed_rcds),
|
|
+ s->s3->rrec.seq_num)<0)
|
|
+ return -1;
|
|
}
|
|
}
|
|
|
|
@@ -529,7 +535,6 @@ printf("\n");
|
|
|
|
/* we have pulled in a full packet so zero things */
|
|
s->packet_length=0;
|
|
- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
|
|
return(1);
|
|
|
|
f_err:
|
|
@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s)
|
|
|
|
/* The epoch may have changed. If so, process all the
|
|
* pending records. This is a non-blocking operation. */
|
|
- dtls1_process_buffered_records(s);
|
|
+ if(dtls1_process_buffered_records(s)<0)
|
|
+ return -1;
|
|
|
|
/* if we're renegotiating, then there may be buffered records */
|
|
if (dtls1_get_processed_record(s))
|
|
@@ -699,7 +705,9 @@ again:
|
|
{
|
|
if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
|
|
{
|
|
- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
|
|
+ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)
|
|
+ return -1;
|
|
+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
|
|
}
|
|
rr->length = 0;
|
|
s->packet_length = 0;
|
|
@@ -712,6 +720,7 @@ again:
|
|
s->packet_length = 0; /* dump this record */
|
|
goto again; /* get another record */
|
|
}
|
|
+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
|
|
|
|
return(1);
|
|
|
|
@@ -863,7 +872,11 @@ start:
|
|
* buffer the application data for later processing rather
|
|
* than dropping the connection.
|
|
*/
|
|
- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
|
|
+ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0)
|
|
+ {
|
|
+ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
|
|
+ return -1;
|
|
+ }
|
|
rr->length = 0;
|
|
goto start;
|
|
}
|