Fix return code for truncated DTLS fragment.

Previously, a truncated DTLS fragment in |dtls1_process_out_of_seq_message| would cause *ok to be cleared, but the return value would still be the number of bytes read. This would cause |dtls1_get_message| not to consider it an error and it would continue processing as normal until the calling function noticed that *ok was zero. I can't see an exploit here because |dtls1_get_message| uses |s->init_num| as the length, which will always be zero from what I can see. Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Emilia Käsper <emilia@openssl.org>

Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in |dtls1_process_out_of_seq_message| would cause *ok to be cleared, but the return value would still be the number of bytes read. This would cause |dtls1_get_message| not to consider it an error and it would continue processing as normal until the calling function noticed that *ok was zero. I can't see an exploit here because |dtls1_get_message| uses |s->init_num| as the length, which will always be zero from what I can see. Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Emilia Käsper <emilia@openssl.org>
b74d1d26 · Adam Langley · Matt Caswell · d0a4b7d1 · b74d1d26
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

ssl/d1_both.c ssl/d1_both.c +3 -1

未找到文件。
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -776,7 +776,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 			/* read the body of the fragment (header has already been read */
 			i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
 				frag->fragment,frag_len,0);
-			if (i<=0 || (unsigned long)i!=frag_len)
+			if ((unsigned long)i!=frag_len)
+				i = -1;
+			if (i<=0)
 				goto err;
 			}