Commit 410e444b authored May 13, 2014 by Dr. Stephen Henson

Fix for CVE-2014-0195

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
(cherry picked from commit 1632ef744872edc2aa2a53d487d3e79c965a4ad3)

parent a91be108

ssl/d1_both.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -632,7 +632,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
		frag->msg_header.frag_off = 0;
		}
		else
		{
		frag = (hm_fragment*) item->data;
		if (frag->msg_header.msg_len != msg_hdr->msg_len)
		{
		item = NULL;
		frag = NULL;
		goto err;
		}
		}


		/* If message is already reassembled, this must be a
		* retransmit and can be dropped.

Admin message