Commit 1632ef74 authored May 13, 2014 by Dr. Stephen Henson

Fix for CVE-2014-0195

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.

parent f1f4fbde

ssl/d1_both.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL s, struct hm_header_st msg_hdr, int *ok)
		frag->msg_header.frag_off = 0;
		}
		else
		{
		frag = (hm_fragment*) item->data;
		if (frag->msg_header.msg_len != msg_hdr->msg_len)
		{
		item = NULL;
		frag = NULL;
		goto err;
		}
		}


		/* If message is already reassembled, this must be a
		* retransmit and can be dropped.