From b7421a6928c470446c8bd74218149745b1c1db16 Mon Sep 17 00:00:00 2001
From: "Simon L. B. Nielsen" <simon@FreeBSD.org>
Date: Sun, 23 Aug 2009 13:58:25 +0000
Subject: [PATCH] Import DTLS fix from upstream OpenSSL 0.9.8 branch:

Fix memory consumption bug with "future epoch" DTLS records.

Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.

Security:	CVE-2009-1377
Obtained from:	OpenSSL CVS
		http://cvs.openssl.org/chngview?cn=18187
---
 crypto/pqueue/pqueue.c | 14 ++++++++++++++
 crypto/pqueue/pqueue.h |  1 +
 ssl/d1_pkt.c           |  4 ++++
 3 files changed, 19 insertions(+)

diff --git a/crypto/pqueue/pqueue.c b/crypto/pqueue/pqueue.c
index 5cc18527f8da..6c89f06fb105 100644
--- a/crypto/pqueue/pqueue.c
+++ b/crypto/pqueue/pqueue.c
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
 
 	return ret;
 	}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+	pitem *item = pq->items;
+	int count = 0;
+	
+	while(item != NULL)
+	{
+		count++;
+		item = item->next;
+	}
+	return count;
+}
diff --git a/crypto/pqueue/pqueue.h b/crypto/pqueue/pqueue.h
index 02386d130e9a..16c4072681c2 100644
--- a/crypto/pqueue/pqueue.h
+++ b/crypto/pqueue/pqueue.h
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
 
 void   pqueue_print(pqueue pq);
+int    pqueue_size(pqueue pq);
 
 #endif /* ! HEADER_PQUEUE_H */
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index eb56cf987ba3..4ae9be54ae60 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
     DTLS1_RECORD_DATA *rdata;
 	pitem *item;
 
+	/* Limit the size of the queue to prevent DOS attacks */
+	if (pqueue_size(queue->q) >= 100)
+		return 0;
+		
 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
 	item = pitem_new(priority, rdata);
 	if (rdata == NULL || item == NULL)