From owner-svn-src-vendor@FreeBSD.ORG Sun Aug 23 14:39:16 2009 Return-Path: Delivered-To: svn-src-vendor@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59B761065693; Sun, 23 Aug 2009 14:39:16 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 2E6CC8FC1A; Sun, 23 Aug 2009 14:39:16 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7NEdG8m063637; Sun, 23 Aug 2009 14:39:16 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7NEdGp5063635; Sun, 23 Aug 2009 14:39:16 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <200908231439.n7NEdGp5063635@svn.freebsd.org> From: "Simon L. Nielsen" Date: Sun, 23 Aug 2009 14:39:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r196467 - vendor-crypto/openssl/dist/ssl X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Aug 2009 14:39:16 -0000 Author: simon Date: Sun Aug 23 14:39:15 2009 New Revision: 196467 URL: http://svn.freebsd.org/changeset/base/196467 Log: Import DTLS fix from upstream OpenSSL 0.9.8 branch: Fix DTLS fragment bug - out-of-sequence message handling which could result in NULL pointer dereference in dtls1_process_out_of_seq_message(). Note that this will not get FreeBSD Security Advisory as DTLS is experimental in OpenSSL. Security: CVE-2009-1387 Obtained from: OpenSSL CVS http://cvs.openssl.org/chngview?cn=17958 Modified: vendor-crypto/openssl/dist/ssl/d1_both.c Modified: vendor-crypto/openssl/dist/ssl/d1_both.c ============================================================================== --- vendor-crypto/openssl/dist/ssl/d1_both.c Sun Aug 23 14:33:12 2009 (r196466) +++ vendor-crypto/openssl/dist/ssl/d1_both.c Sun Aug 23 14:39:15 2009 (r196467) @@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s, } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; + if (frag_len) + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { - /* read the body of the fragment (header has already been read */ + /* read the body of the fragment (header has already been read) */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; - } - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, msg_hdr->seq); + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); - item = pitem_new(seq64, frag); - pq_64bit_free(&seq64); - if ( item == NULL) - goto err; + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + } - pqueue_insert(s->d1->buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: