Commit f6663338 authored by Matt Caswell's avatar Matt Caswell
Browse files

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS... 


Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
parent b74d1d26

ssl/d1_both.c

+3 −1
Original line number Diff line number Diff line
@@ -668,7 +668,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) 
	/* read the body of the fragment (header has already been read */

	i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,

		frag->fragment + msg_hdr->frag_off,frag_len,0);

	if (i<=0 || (unsigned long)i!=frag_len)

	if ((unsigned long)i!=frag_len)

		i=-1;

	if (i<=0)

		goto err;



	RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,