From b7421a6928c470446c8bd74218149745b1c1db16 Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Sun, 23 Aug 2009 13:58:25 +0000 Subject: [PATCH 1/4] Import DTLS fix from upstream OpenSSL 0.9.8 branch: Fix memory consumption bug with "future epoch" DTLS records. Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1377 Obtained from: OpenSSL CVS http://cvs.openssl.org/chngview?cn=18187 --- crypto/pqueue/pqueue.c | 14 ++++++++++++++ crypto/pqueue/pqueue.h | 1 + ssl/d1_pkt.c | 4 ++++ 3 files changed, 19 insertions(+) diff --git a/crypto/pqueue/pqueue.c b/crypto/pqueue/pqueue.c index 5cc18527f8da..6c89f06fb105 100644 --- a/crypto/pqueue/pqueue.c +++ b/crypto/pqueue/pqueue.c @@ -234,3 +234,17 @@ pqueue_next(pitem **item) return ret; } + +int +pqueue_size(pqueue_s *pq) +{ + pitem *item = pq->items; + int count = 0; + + while(item != NULL) + { + count++; + item = item->next; + } + return count; +} diff --git a/crypto/pqueue/pqueue.h b/crypto/pqueue/pqueue.h index 02386d130e9a..16c4072681c2 100644 --- a/crypto/pqueue/pqueue.h +++ b/crypto/pqueue/pqueue.h @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); pitem *pqueue_next(piterator *iter); void pqueue_print(pqueue pq); +int pqueue_size(pqueue pq); #endif /* ! HEADER_PQUEUE_H */ diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index eb56cf987ba3..4ae9be54ae60 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) DTLS1_RECORD_DATA *rdata; pitem *item; + /* Limit the size of the queue to prevent DOS attacks */ + if (pqueue_size(queue->q) >= 100) + return 0; + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL) From f8f8fb827d260bb6161b82bb67de04c0a4c9868c Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Sun, 23 Aug 2009 14:12:01 +0000 Subject: [PATCH 2/4] Import DTLS fix from upstream OpenSSL 0.9.8 branch: Fix fragment handling memory leak. Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1378 Obtained from: OpenSSL CVS http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15 --- ssl/d1_both.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 15a201a25cf4..0c863179bc88 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; - if (msg_hdr->seq <= s->d1->handshake_read_seq) + /* Try to find item in queue, to prevent duplicate entries */ + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); + item = pqueue_find(s->d1->buffered_messages, seq64); + pq_64bit_free(&seq64); + + /* Discard the message if sequence number was already there, is + * too far in the future or the fragment is already in the queue */ + if (msg_hdr->seq <= s->d1->handshake_read_seq || + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) { unsigned char devnull [256]; From 58c74b7534a4526075de41fd4b24bc769866523a Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Sun, 23 Aug 2009 14:15:28 +0000 Subject: [PATCH 3/4] Import DTLS fix from upstream OpenSSL 0.9.8 branch: Do not access freed data structure. Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1379 Obtained from: OpenSSL CVS http://cvs.openssl.org/chngview?cn=18156 --- ssl/d1_both.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 0c863179bc88..967d8c542ddb 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) if ( s->d1->handshake_read_seq == frag->msg_header.seq) { + unsigned long frag_len = frag->msg_header.frag_len; pqueue_pop(s->d1->buffered_messages); al=dtls1_preprocess_fragment(s,&frag->msg_header,max); @@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) if (al==0) { *ok = 1; - return frag->msg_header.frag_len; + return frag_len; } ssl3_send_alert(s,SSL3_AL_FATAL,al); From f0c2a617dfb432d01bc5a716eb18dae12e6b45e3 Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Sun, 23 Aug 2009 14:39:15 +0000 Subject: [PATCH 4/4] Import DTLS fix from upstream OpenSSL 0.9.8 branch: Fix DTLS fragment bug - out-of-sequence message handling which could result in NULL pointer dereference in dtls1_process_out_of_seq_message(). Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1387 Obtained from: OpenSSL CVS http://cvs.openssl.org/chngview?cn=17958 --- ssl/d1_both.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 967d8c542ddb..017719210613 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; - - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { - /* read the body of the fragment (header has already been read */ + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; + + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + + /* read the body of the fragment (header has already been read) */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; - } - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, msg_hdr->seq); + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); - item = pitem_new(seq64, frag); - pq_64bit_free(&seq64); - if ( item == NULL) - goto err; + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + } - pqueue_insert(s->d1->buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: