Verify that we have a sensible message len and fail if not

RT#3592 provides an instance where the OPENSSL_assert that this commit replaces can be hit. I was able to recreate this issue by forcing the underlying BIO to misbehave and come back with very small mtu values. This happens the second time around the while loop after we have detected that the MTU has been exceeded following the call to dtls1_write_bytes. Reviewed-by: N Tim Hudson <tjh@openssl.org>

Verify that we have a sensible message len and fail if not
RT#3592 provides an instance where the OPENSSL_assert that this commit replaces can be hit. I was able to recreate this issue by forcing the underlying BIO to misbehave and come back with very small mtu values. This happens the second time around the while loop after we have detected that the MTU has been exceeded following the call to dtls1_write_bytes. Reviewed-by: N Tim Hudson <tjh@openssl.org>
cf75017b · Matt Caswell · 961d2ddb · cf75017b
隐藏空白更改
内联并排

Showing with 8 addition and 2 deletion

ssl/d1_both.c ssl/d1_both.c +8 -2

未找到文件。
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -329,12 +329,18 @@ int dtls1_do_write(SSL *s, int type)
 					len = s->init_num;
 				}

+			if ( len < DTLS1_HM_HEADER_LENGTH )
+				{
+				/*
+				 * len is so small that we really can't do anything sensible
+				 * so fail
+				 */
+				return -1;
+				}
 			dtls1_fix_message_header(s, frag_off, 
 				len - DTLS1_HM_HEADER_LENGTH);

 			dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
-
-			OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
 			}

 		ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],