From: Matt Caswell Date: Mon, 1 Dec 2014 11:10:38 +0000 (+0000) Subject: Verify that we have a sensible message len and fail if not X-Git-Tag: master-post-reformat~253 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=cf75017bfd60333ff65edf9840001cd2c49870a3;p=oweals%2Fopenssl.git Verify that we have a sensible message len and fail if not RT#3592 provides an instance where the OPENSSL_assert that this commit replaces can be hit. I was able to recreate this issue by forcing the underlying BIO to misbehave and come back with very small mtu values. This happens the second time around the while loop after we have detected that the MTU has been exceeded following the call to dtls1_write_bytes. Reviewed-by: Tim Hudson --- diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 2324675579..23d97cb127 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -329,12 +329,18 @@ int dtls1_do_write(SSL *s, int type) len = s->init_num; } + if ( len < DTLS1_HM_HEADER_LENGTH ) + { + /* + * len is so small that we really can't do anything sensible + * so fail + */ + return -1; + } dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]); - - OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); } ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],