When the underlying BIO_write() fails to send a datagram, we leave the
authorLutz Jänicke <jaenicke@openssl.org>
Fri, 10 Oct 2008 10:41:32 +0000 (10:41 +0000)
committerLutz Jänicke <jaenicke@openssl.org>
Fri, 10 Oct 2008 10:41:32 +0000 (10:41 +0000)
offending record queued as 'pending'. The DTLS code doesn't expect this,
and we end up hitting an OPENSSL_assert() in do_dtls1_write().

The simple fix is just _not_ to leave it queued. In DTLS, dropping
packets is perfectly acceptable -- and even preferable. If we wanted a
service with retries and guaranteed delivery, we'd be using TCP.
PR: #1703
Submitted by: David Woodhouse <dwmw2@infradead.org>

ssl/s3_pkt.c

index 72853a2e728fd593762665fc96f31d33236fbbf9..9476dcddf6e958f6f3c566c3279f3f44bf74c4d7 100644 (file)
@@ -753,8 +753,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                        s->rwstate=SSL_NOTHING;
                        return(s->s3->wpend_ret);
                        }
-               else if (i <= 0)
+               else if (i <= 0) {
+                       if (s->version == DTLS1_VERSION ||
+                           s->version == DTLS1_BAD_VER) {
+                               /* For DTLS, just drop it. That's kind of the whole
+                                  point in using a datagram service */
+                               s->s3->wbuf.left = 0;
+                       }
                        return(i);
+               }
                s->s3->wbuf.offset+=i;
                s->s3->wbuf.left-=i;
                }