From: Matt Caswell <matt@openssl.org>
Date: Fri, 11 May 2018 09:28:47 +0000 (+0100)
Subject: Don't memcpy the contents of an empty fragment
X-Git-Tag: OpenSSL_1_1_0i~118
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1b261954028925c1e2c329928938dacacf0bb6c0;p=oweals%2Fopenssl.git

Don't memcpy the contents of an empty fragment

In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.

Fixes a travis issue.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6224)
---

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 6b80620ee9..5b34425445 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -493,7 +493,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok)
 
         al = dtls1_preprocess_fragment(s, &frag->msg_header);
 
-        if (al == 0) {          /* no alert */
+        /* al will be 0 if no alert */
+        if (al == 0  && frag->msg_header.frag_len > 0) {
             unsigned char *p =
                 (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
             memcpy(&p[frag->msg_header.frag_off], frag->fragment,