From: Matt Caswell Date: Fri, 11 May 2018 09:28:47 +0000 (+0100) Subject: Don't memcpy the contents of an empty fragment X-Git-Tag: OpenSSL_1_0_2p~53 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f54b665e29a0ed8df2ea322a1f9e1b8057f13894;p=oweals%2Fopenssl.git Don't memcpy the contents of an empty fragment In DTLS if we have buffered a fragment for a zero length message (e.g. ServerHelloDone) then, when we unbuffered the fragment, we were attempting to memcpy the contents of the fragment which is zero length and a NULL pointer. This is undefined behaviour. We should check first whether we have a zero length fragment. Fixes a travis issue. [extended tests] Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6225) --- diff --git a/ssl/d1_both.c b/ssl/d1_both.c index e6bc761e8b..8cf52fac8b 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -656,7 +656,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) al = dtls1_preprocess_fragment(s, &frag->msg_header, max); - if (al == 0) { /* no alert */ + /* al will be 0 if no alert */ + if (al == 0 && frag->msg_header.frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment,