Commit f54b665e authored by Matt Caswell's avatar Matt Caswell
Browse files

Don't memcpy the contents of an empty fragment 



In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.

Fixes a travis issue.

[extended tests]

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6225)
parent 18026c02

ssl/d1_both.c

+2 −1
Original line number Diff line number Diff line
@@ -656,7 +656,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) 


        al = dtls1_preprocess_fragment(s, &frag->msg_header, max);



        if (al == 0) {          /* no alert */

        /* al will be 0 if no alert */

        if (al == 0  && frag->msg_header.frag_len > 0) {

            unsigned char *p =

                (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

            memcpy(&p[frag->msg_header.frag_off], frag->fragment,