Fix an Uninit read in DTLS

If we have a handshake fragment waiting then dtls1_read_bytes() was not
correctly setting the value of recvd_type, leading to an uninit read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083)

diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 2455c2bd124affcfcf606869a7572a02dd1c90d4..1d16319f1485cf2756897001535821f74d697ac6 100644 (file)
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -359,8 +359,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
     /*
      * check whether there's a handshake message (client hello?) waiting
      */
-    if ((ret = have_handshake_fragment(s, type, buf, len)))
+    if ((ret = have_handshake_fragment(s, type, buf, len))) {
+        *recvd_type = SSL3_RT_HANDSHAKE;
         return ret;
+    }
 
     /*
      * Now s->rlayer.d->handshake_fragment_len == 0 if