PR: 1829

[oweals/openssl.git] / ssl / s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index d0f54e297bb7af5e53ff732363c5c6c85b530dd4..9476dcddf6e958f6f3c566c3279f3f44bf74c4d7 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -277,11 +277,7 @@ again:
                n2s(p,rr->length);
 
                /* Lets check version */
-               if (s->first_packet)
-                       {
-                       s->first_packet=0;
-                       }
-               else
+               if (!s->first_packet)
                        {
                        if (version != s->version)
                                {
@@ -757,8 +753,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                        s->rwstate=SSL_NOTHING;
                        return(s->s3->wpend_ret);
                        }
-               else if (i <= 0)
+               else if (i <= 0) {
+                       if (s->version == DTLS1_VERSION ||
+                           s->version == DTLS1_BAD_VER) {
+                               /* For DTLS, just drop it. That's kind of the whole
+                                  point in using a datagram service */
+                               s->s3->wbuf.left = 0;
+                       }
                        return(i);
+               }
                s->s3->wbuf.offset+=i;
                s->s3->wbuf.left-=i;
                }
@@ -1229,6 +1232,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
        if (s->s3->tmp.key_block == NULL)
                {
+               if (s->session == NULL) 
+                       {
+                       /* might happen if dtls1_read_bytes() calls this */
+                       SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+                       return (0);
+                       }
+
                s->session->cipher=s->s3->tmp.new_cipher;
                if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
                }