Verify that we have a sensible message len and fail if not
authorMatt Caswell <matt@openssl.org>
Mon, 1 Dec 2014 11:10:38 +0000 (11:10 +0000)
committerMatt Caswell <matt@openssl.org>
Wed, 3 Dec 2014 09:38:10 +0000 (09:38 +0000)
RT#3592 provides an instance where the OPENSSL_assert that this commit
replaces can be hit. I was able to recreate this issue by forcing the
underlying BIO to misbehave and come back with very small mtu values. This
happens the second time around the while loop after we have detected that the
MTU has been exceeded following the call to dtls1_write_bytes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit cf75017bfd60333ff65edf9840001cd2c49870a3)

ssl/d1_both.c

index 97762b9cfd38e6326031e7d7c36be08f92bedfe0..e83f9353a0b79680e1c56e7ad9e1aac7a823d8ed 100644 (file)
@@ -324,12 +324,18 @@ int dtls1_do_write(SSL *s, int type)
                                        len = s->init_num;
                                }
 
+                       if ( len < DTLS1_HM_HEADER_LENGTH )
+                               {
+                               /*
+                                * len is so small that we really can't do anything sensible
+                                * so fail
+                                */
+                               return -1;
+                               }
                        dtls1_fix_message_header(s, frag_off, 
                                len - DTLS1_HM_HEADER_LENGTH);
 
                        dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
-
-                       OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
                        }
 
                ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],