File openssl-CVE-2014-3507.patch of Package compat-openssl098.703

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-CVE-2014-3507.patch of Package compat-openssl098.703

commit 445598b35e16090b676bb168807da06518658b34
Author: Adam Langley <agl@imperialviolet.org>
Date:   Fri Jun 6 14:30:33 2014 -0700

Fix memory leak from zero-length DTLS fragments.
    
    The |pqueue_insert| function can fail if one attempts to insert a
    duplicate sequence number. When handling a fragment of an out of
    sequence message, |dtls1_process_out_of_seq_message| would not call
    |dtls1_reassemble_fragment| if the fragment's length was zero. It would
    then allocate a fresh fragment and attempt to insert it, but ignore the
    return value, leaking the fragment.
    
    This allows an attacker to exhaust the memory of a DTLS peer.
    
    Fixes CVE-2014-3507
    
    Reviewed-by: Matt Caswell <matt@openssl.org>
    Reviewed-by: Emilia Käsper <emilia@openssl.org>

Index: openssl-0.9.8j/ssl/d1_both.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_both.c	2014-08-08 15:46:05.049373250 +0200
+++ openssl-0.9.8j/ssl/d1_both.c	2014-08-08 15:54:48.837133852 +0200
@@ -621,7 +621,15 @@ dtls1_process_out_of_seq_message(SSL *s,
 		if ( item == NULL)
 			goto err;
 
-		pqueue_insert(s->d1->buffered_messages, item);
+		item = pqueue_insert(s->d1->buffered_messages, item);
+		/* pqueue_insert fails iff a duplicate item is inserted.
+		 * However, |item| cannot be a duplicate. If it were,
+		 * |pqueue_find|, above, would have returned it. Then, either
+		 * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
+		 * to NULL and it will have been processed with
+		 * |dtls1_reassemble_fragment|, above, or the record will have
+		 * been discarded. */
+		OPENSSL_assert(item != NULL);
 	}
 
 	return DTLS1_HM_FRAGMENT_RETRY;

Places

File openssl-CVE-2014-3507.patch of Package compat-openssl098.703

Places