Fix for CVE-2014-0195

A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Fixed by adding consistency check for DTLS fragments. Thanks to Jüri Aedla for reporting this issue. (cherry picked from commit 1632ef744872edc2aa2a53d487d3e79c965a4ad3) Change-Id: Ie0b8939a71a6772616822df643f2168954b991ad
author: Dr. Stephen Henson <steve@openssl.org> 2014-05-13 18:48:31 +0100
committer: Dan Pasanen <dan.pasanen@gmail.com> 2014-06-06 09:18:38 -0500
commit: d51d9f34e392c62976388bb34d0d94fbb11d3486 (patch)
tree: 0e5d58048dd70b5d6c4288fd9b3ddc1eff8240cd
parent: f672e21e2d09c00413fb76f48d4cd21170ed95ec (diff)
download: replicant_openssl-d51d9f34e392c62976388bb34d0d94fbb11d3486.zip
replicant_openssl-d51d9f34e392c62976388bb34d0d94fbb11d3486.tar.gz
replicant_openssl-d51d9f34e392c62976388bb34d0d94fbb11d3486.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 214b45b..7b88727 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -620,7 +620,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 		frag->msg_header.frag_off = 0;
 		}
 	else
+		{
 		frag = (hm_fragment*) item->data;
+		if (frag->msg_header.msg_len != msg_hdr->msg_len)
+			{
+			item = NULL;
+			frag = NULL;
+			goto err;
+			}
+		}
+
 
 	/* If message is already reassembled, this must be a
 	 * retransmit and can be dropped.
author	Dr. Stephen Henson <steve@openssl.org>	2014-05-13 18:48:31 +0100
committer	Dan Pasanen <dan.pasanen@gmail.com>	2014-06-06 09:18:38 -0500
commit	d51d9f34e392c62976388bb34d0d94fbb11d3486 (patch)
tree	0e5d58048dd70b5d6c4288fd9b3ddc1eff8240cd
parent	f672e21e2d09c00413fb76f48d4cd21170ed95ec (diff)
download	replicant_openssl-d51d9f34e392c62976388bb34d0d94fbb11d3486.zip replicant_openssl-d51d9f34e392c62976388bb34d0d94fbb11d3486.tar.gz replicant_openssl-d51d9f34e392c62976388bb34d0d94fbb11d3486.tar.bz2