From: Adam Langley Date: Fri, 6 Jun 2014 21:44:20 +0000 (-0700) Subject: Fix return code for truncated DTLS fragment. X-Git-Tag: OpenSSL_0_9_8zb~7 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=fc15c440498f815e384f496c5913fe1db9f69a28;p=oweals%2Fopenssl.git Fix return code for truncated DTLS fragment. Previously, a truncated DTLS fragment in |dtls1_process_out_of_seq_message| would cause *ok to be cleared, but the return value would still be the number of bytes read. This would cause |dtls1_get_message| not to consider it an error and it would continue processing as normal until the calling function noticed that *ok was zero. I can't see an exploit here because |dtls1_get_message| uses |s->init_num| as the length, which will always be zero from what I can see. Reviewed-by: Matt Caswell Reviewed-by: Emilia Käsper --- diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 99325e8f04..961ac511d2 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -765,7 +765,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) /* read the body of the fragment (header has already been read) */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); - if (i<=0 || (unsigned long)i!=frag_len) + if ((unsigned long)i!=frag_len) + i = -1; + if (i<=0) goto err; }