Fix "DTLS fragment handling" (CVE-2009-1378)
Kurt Roeckx
14 years ago
0 | 0 |
openssl (0.9.8g-15+lenny2) stable-security; urgency=low
|
1 | 1 |
|
2 | 2 |
* Fix "DTLS record buffer limitation bug." (CVE-2009-1377)
|
3 | |
|
4 | |
-- Kurt Roeckx <kurt@roeckx.be> Mon, 01 Jun 2009 14:34:45 +0200
|
|
3 |
* Fix "DTLS fragment handling" (CVE-2009-1378)
|
|
4 |
|
|
5 |
-- Kurt Roeckx <kurt@roeckx.be> Mon, 01 Jun 2009 14:39:43 +0200
|
5 | 6 |
|
6 | 7 |
openssl (0.9.8g-15+lenny1) stable-security; urgency=low
|
7 | 8 |
|
560 | 560 |
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
|
561 | 561 |
goto err;
|
562 | 562 |
|
563 | |
if (msg_hdr->seq <= s->d1->handshake_read_seq)
|
|
563 |
/* Try to find item in queue, to prevent duplicate entries */
|
|
564 |
memset(seq64be,0,sizeof(seq64be));
|
|
565 |
seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
|
|
566 |
seq64be[7] = (unsigned char) msg_hdr->seq;
|
|
567 |
item = pqueue_find(s->d1->buffered_messages, seq64be);
|
|
568 |
|
|
569 |
/* Discard the message if sequence number was already there, is
|
|
570 |
* too far in the future or the fragment is already in the queue */
|
|
571 |
if (msg_hdr->seq <= s->d1->handshake_read_seq ||
|
|
572 |
msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
|
564 | 573 |
{
|
565 | 574 |
unsigned char devnull [256];
|
566 | 575 |
|