From: Dr. Stephen Henson Date: Tue, 6 Apr 2010 12:45:04 +0000 (+0000) Subject: PR: 2218 X-Git-Tag: OpenSSL-fips-2_0-rc1~1152 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ff12f88b8e30d9e3488d0542ef35aae92a11b11c;p=oweals%2Fopenssl.git PR: 2218 Submitted By: Robin Seggelmann Fixes for DTLS replay bug. --- diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 54235f283a..20d24b6fd8 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -667,14 +667,14 @@ again: if (rr->length == 0) goto again; /* If this record is from the next epoch (either HM or ALERT), - * buffer it since it cannot be processed at this time. Records - * from the next epoch are marked as received even though they - * are not processed, so as to prevent any potential resource - * DoS attack */ + * and a handshake is currently in progress, buffer it since it + * cannot be processed at this time. */ if (is_next_epoch) { - dtls1_record_bitmap_update(s, bitmap); - dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + if (SSL_in_init(s) || s->in_handshake) + { + dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + } rr->length = 0; s->packet_length = 0; goto again;