Fix crash in dtls1_get_record whilst in the listen state where you get two

separate reads performed - one for the header and one for the body of the handshake record. CVE-2014-3571 Reviewed-by: N Matt Caswell <matt@openssl.org>

Fix crash in dtls1_get_record whilst in the listen state where you get two
separate reads performed - one for the header and one for the body of the handshake record. CVE-2014-3571 Reviewed-by: N Matt Caswell <matt@openssl.org>
feba02f3 · Dr. Stephen Henson · Matt Caswell · 4a4d4158 · feba02f3 · feba02f3
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

ssl/d1_pkt.c ssl/d1_pkt.c +0 -2

ssl/s3_pkt.c ssl/s3_pkt.c +2 -0

未找到文件。
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -645,8 +645,6 @@ again:
 		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
 		i=rr->length;
 		n=ssl3_read_n(s,i,i,1);
-		if (n <= 0) return(n); /* error or non-blocking io */
-
 		/* this packet contained a partial record, dump it */
 		if ( n != i)
 			{

--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -197,6 +197,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 	 * at once (as long as it fits into the buffer). */
 	if (SSL_IS_DTLS(s))
 		{
+		if (left == 0 && extend)
+			return 0;
 		if (left > 0 && n > left)
 			n = left;
 		}