From 1ad69c40f41c48743fc2a936ec067f21604a60b3 Mon Sep 17 00:00:00 2001 From: guenther Date: Fri, 8 Aug 2014 05:06:56 +0000 Subject: [PATCH] Fix CVE-2014-3507, avoid allocating and then leaking a fresh fragment structure when a zero-length fragment is received. Based on https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d0a4b7d1a2948fce38515b8d862f43e7ba0ebf74 diff by miod@, ok guenther@ bcook@ deraadt@ --- lib/libssl/d1_both.c | 9 +++++++-- lib/libssl/src/ssl/d1_both.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c index fea701107fd..1eda4aef726 100644 --- a/lib/libssl/d1_both.c +++ b/lib/libssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.27 2014/08/07 20:24:12 guenther Exp $ */ +/* $OpenBSD: d1_both.c,v 1.28 2014/08/08 05:06:56 guenther Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -597,6 +597,11 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) goto err; + if (frag_len == 0) { + i = DTLS1_HM_FRAGMENT_RETRY; + goto err; + } + /* Try to find item in queue */ memset(seq64be, 0, sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); @@ -725,7 +730,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) frag_len -= i; } } else { - if (frag_len && frag_len < msg_hdr->msg_len) + if (frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); if (frag_len > dtls1_max_handshake_message_len(s)) diff --git a/lib/libssl/src/ssl/d1_both.c b/lib/libssl/src/ssl/d1_both.c index fea701107fd..1eda4aef726 100644 --- a/lib/libssl/src/ssl/d1_both.c +++ b/lib/libssl/src/ssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.27 2014/08/07 20:24:12 guenther Exp $ */ +/* $OpenBSD: d1_both.c,v 1.28 2014/08/08 05:06:56 guenther Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -597,6 +597,11 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) goto err; + if (frag_len == 0) { + i = DTLS1_HM_FRAGMENT_RETRY; + goto err; + } + /* Try to find item in queue */ memset(seq64be, 0, sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); @@ -725,7 +730,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) frag_len -= i; } } else { - if (frag_len && frag_len < msg_hdr->msg_len) + if (frag_len < msg_hdr->msg_len) return dtls1_reassemble_fragment(s, msg_hdr, ok); if (frag_len > dtls1_max_handshake_message_len(s)) -- 2.20.1