[go: nahoru, domu]
    Skip Menu | | Logout
Logged in as guest
RT for openssl.org
 
 
#1838: [PATCH] DTLS fragment bug
X  Ticket metadata  
X  The Basics  
Id: 1838
Status: resolved
Left: 0 min
Priority: 0/0
Queue: OpenSSL-Bugs

X  Custom Fields  
Milestone:
  • (no value)
Subsystem:
  • (no value)
Severity:
  • (no value)
Broken in:
  • (no value)

X  People  
Owner: steve <steve@openssl.org>
Requestors: seggelmann@fh-muenster.de
Cc:
AdminCc:

X  Dates  
Created: Thu Feb 05 18:00:10 2009
Starts: Not set
Started: Not set
Last Contact: Fri Apr 03 00:13:06 2009
Due: Not set
Closed: Tue Apr 14 16:25:36 2009
Updated: Tue Apr 14 16:25:36 2009 by steve

X  Links  
Depends on:
Depended on by:
Parents:
Children:
Refers to:
Referred to by:

X  More about Robin Seggelmann  
Comments about this user:
No comment entered about this user
This user's 10 highest priority tickets:
Groups this user belongs to:
  • Everyone
  • Unprivileged

X  History Display mode:[Brief headers] [Full headers]
#     Thu Feb 05 18:00:12 2009  seggelmann@fh-muenster.de - Ticket created    
Subject: [PATCH] DTLS fragment bug
Date: Thu, 5 Feb 2009 16:56:42 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled)
text/plain 1.7k
Whenever a handshake message arrives with an unexpected sequence
number, it is passed to the function
dtls1_process_out_of_seq_message(). This function discards the data if
the sequence number is lower than the expected value and buffers it,
if is a future message. When discarding, the message fragment length
remains 0 which indicates that nothing has to be buffered. Due to a
misplaced if condition to check the length, sometimes fragments with
no data but with the length of the dropped message are buffered. This
causes a bus error when processing later.


--- ssl/d1_both.c 2007-10-17 23:17:49.000000000 +0200
+++ ssl/d1_both.c 2009-02-05 16:29:12.000000000 +0100
@@ -575,30 +575,31 @@
}
}

- frag = dtls1_hm_fragment_new(frag_len);
- if ( frag == NULL)
- goto err;
+ if (frag_len)
+ {
+ frag = dtls1_hm_fragment_new(frag_len);
+ if ( frag == NULL)
+ goto err;

- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));

- if (frag_len)
- {
- /* read the body of the fragment (header has already been read */
+ /* read the body of the fragment (header has already been read) */
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
frag->fragment,frag_len,0);
if (i<=0 || (unsigned long)i!=frag_len)
goto err;
- }

- pq_64bit_init(&seq64);
- pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);

- item = pitem_new(seq64, frag);
- pq_64bit_free(&seq64);
- if ( item == NULL)
- goto err;
+ item = pitem_new(seq64, frag);
+ pq_64bit_free(&seq64);
+ if ( item == NULL)
+ goto err;
+
+ pqueue_insert(s->d1->buffered_messages, item);
+ }

- pqueue_insert(s->d1->buffered_messages, item);
return DTLS1_HM_FRAGMENT_RETRY;

err:
#     Fri Apr 03 00:11:31 2009  steve - Taken    
#     Fri Apr 03 00:13:05 2009  steve - Correspondence added    
Download (untitled)
text/plain 67b
Patch applied to 0.9.8-stable, doesn't apply cleanly to 1.0.0-beta1
#     Fri Apr 03 00:13:06 2009  RT_System - Status changed from 'new' to 'open'    
#     Tue Apr 14 16:25:36 2009  steve - Status changed from 'open' to 'resolved'    
»|« RT 3.4.5 Copyright 1996-2005 Best Practical Solutions, LLC.
Time to display: 0.384802