From: Matt Caswell Date: Thu, 24 Jul 2014 22:54:28 +0000 (+0100) Subject: Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment... X-Git-Tag: OpenSSL_1_0_0n~8 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=e5861c885f644b17aa31bb765511a5ac44d02166;p=oweals%2Fopenssl.git Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read. Problem identified by Emilia Käsper, based on previous issue/patch by Adam Langley. Reviewed-by: Emilia Käsper --- diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 6aa0fe908f..898baf2934 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -663,7 +663,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) /* read the body of the fragment (header has already been read */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment + msg_hdr->frag_off,frag_len,0); - if (i<=0 || (unsigned long)i!=frag_len) + if ((unsigned long)i!=frag_len) + i=-1; + if (i<=0) goto err; RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,