d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge DTLS fixes from vendor-crypto/openssl/dist:

Browse Source 
- Fix memory consumption bug with "future epoch" DTLS records.
- Fix fragment handling memory leak.
- Do not access freed data structure.
- Fix DTLS fragment bug - out-of-sequence message handling which could
  result in NULL pointer dereference in
  dtls1_process_out_of_seq_message().

Note that this will not get FreeBSD Security Advisory as DTLS is
experimental in OpenSSL.

MFC after:	1 week
Security:	CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 CVE-2009-1387
This commit is contained in:
Simon L. B. Nielsen 2009-08-23 16:29:47 +00:00
commit 2f1ff7669c
4 changed files with 48 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
crypto/openssl/crypto/pqueue/pqueue.c
View File

@ -234,3 +234,17 @@ pqueue_next(pitem **item)
return ret;
}
int
pqueue_size(pqueue_s *pq)
{
pitem *item = pq->items;
int count = 0;
while(item != NULL)
{
count++;
item = item->next;
}
return count;
}

1
crypto/openssl/crypto/pqueue/pqueue.h
View File

@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
pitem *pqueue_next(piterator *iter);
void pqueue_print(pqueue pq);
int pqueue_size(pqueue pq);
#endif /* ! HEADER_PQUEUE_H */

47
crypto/openssl/ssl/d1_both.c
View File

@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
{
unsigned long frag_len = frag->msg_header.frag_len;
pqueue_pop(s->d1->buffered_messages);
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
if (al==0)
{
*ok = 1;
return frag->msg_header.frag_len;
return frag_len;
}
ssl3_send_alert(s,SSL3_AL_FATAL,al);
@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
goto err;
if (msg_hdr->seq <= s->d1->handshake_read_seq)
/* Try to find item in queue, to prevent duplicate entries */
pq_64bit_init(&seq64);
pq_64bit_assign_word(&seq64, msg_hdr->seq);
item = pqueue_find(s->d1->buffered_messages, seq64);
pq_64bit_free(&seq64);
/* Discard the message if sequence number was already there, is
* too far in the future or the fragment is already in the queue */
if (msg_hdr->seq <= s->d1->handshake_read_seq ||
msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
{
unsigned char devnull [256];
@ -575,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
}
}
frag = dtls1_hm_fragment_new(frag_len);
if ( frag == NULL)
goto err;
memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
if (frag_len)
{
/* read the body of the fragment (header has already been read */
{
frag = dtls1_hm_fragment_new(frag_len);
if ( frag == NULL)
goto err;
memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
/* read the body of the fragment (header has already been read) */
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
frag->fragment,frag_len,0);
if (i<=0 || (unsigned long)i!=frag_len)
goto err;
}
pq_64bit_init(&seq64);
pq_64bit_assign_word(&seq64, msg_hdr->seq);
pq_64bit_init(&seq64);
pq_64bit_assign_word(&seq64, msg_hdr->seq);
item = pitem_new(seq64, frag);
pq_64bit_free(&seq64);
if ( item == NULL)
goto err;
item = pitem_new(seq64, frag);
pq_64bit_free(&seq64);
if ( item == NULL)
goto err;
pqueue_insert(s->d1->buffered_messages, item);
}
pqueue_insert(s->d1->buffered_messages, item);
return DTLS1_HM_FRAGMENT_RETRY;
err:

4
crypto/openssl/ssl/d1_pkt.c
View File

@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
DTLS1_RECORD_DATA *rdata;
pitem *item;
/* Limit the size of the queue to prevent DOS attacks */
if (pqueue_size(queue->q) >= 100)
return 0;
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
item = pitem_new(priority, rdata);
if (rdata == NULL || item == NULL)