Skip Menu |
 
Ticket metadata
The Basics
Id: 1838
Status: resolved
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Stephen Henson
Requestors: Robin Seggelmann
Cc:
AdminCc:

More about the requestors

Robin Seggelmann

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Everyone
  • Unprivileged

New reminder:
Subject:
Owner:
Due:

Dates
Created: Thu Feb 05 17:00:10 2009
Starts: Not set
Started: Not set
Last Contact: Thu Apr 02 22:13:06 2009
Due: Not set
Closed: Tue Apr 14 14:25:36 2009
Updated: Tue Apr 14 14:25:36 2009 by Stephen Henson



Subject: [PATCH] DTLS fragment bug
Date: Thu, 5 Feb 2009 16:56:42 +0100
To: rt@openssl.org
From: Robin Seggelmann <seggelmann@fh-muenster.de>
Download (untitled) / with headers
text/plain 1.7k
Whenever a handshake message arrives with an unexpected sequence
number, it is passed to the function
dtls1_process_out_of_seq_message(). This function discards the data if
the sequence number is lower than the expected value and buffers it,
if is a future message. When discarding, the message fragment length
remains 0 which indicates that nothing has to be buffered. Due to a
misplaced if condition to check the length, sometimes fragments with
no data but with the length of the dropped message are buffered. This
causes a bus error when processing later.


--- ssl/d1_both.c 2007-10-17 23:17:49.000000000 +0200
+++ ssl/d1_both.c 2009-02-05 16:29:12.000000000 +0100
@@ -575,30 +575,31 @@
}
}

- frag = dtls1_hm_fragment_new(frag_len);
- if ( frag == NULL)
- goto err;
+ if (frag_len)
+ {
+ frag = dtls1_hm_fragment_new(frag_len);
+ if ( frag == NULL)
+ goto err;

- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));

- if (frag_len)
- {
- /* read the body of the fragment (header has already been read */
+ /* read the body of the fragment (header has already been read) */
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
frag->fragment,frag_len,0);
if (i<=0 || (unsigned long)i!=frag_len)
goto err;
- }

- pq_64bit_init(&seq64);
- pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);

- item = pitem_new(seq64, frag);
- pq_64bit_free(&seq64);
- if ( item == NULL)
- goto err;
+ item = pitem_new(seq64, frag);
+ pq_64bit_free(&seq64);
+ if ( item == NULL)
+ goto err;
+
+ pqueue_insert(s->d1->buffered_messages, item);
+ }

- pqueue_insert(s->d1->buffered_messages, item);
return DTLS1_HM_FRAGMENT_RETRY;

err:
Patch applied to 0.9.8-stable, doesn't apply cleanly to 1.0.0-beta1
Patch applied to 1.0.0-beta1 now. Ticket resolved, many thanks for the
report.