From owner-svn-src-all@FreeBSD.ORG  Sun Aug 23 14:12:01 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 86A32106568E;
	Sun, 23 Aug 2009 14:12:01 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 74E408FC08;
	Sun, 23 Aug 2009 14:12:01 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n7NEC1Ki062847;
	Sun, 23 Aug 2009 14:12:01 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n7NEC1Fw062845;
	Sun, 23 Aug 2009 14:12:01 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <200908231412.n7NEC1Fw062845@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Sun, 23 Aug 2009 14:12:01 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-vendor@freebsd.org
X-SVN-Group: vendor-crypto
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r196462 - vendor-crypto/openssl/dist/ssl
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2009 14:12:01 -0000

Author: simon
Date: Sun Aug 23 14:12:01 2009
New Revision: 196462
URL: http://svn.freebsd.org/changeset/base/196462

Log:
  Import DTLS fix from upstream OpenSSL 0.9.8 branch:
  
  Fix fragment handling memory leak.
  
  Note that this will not get FreeBSD Security Advisory as DTLS is
  experimental in OpenSSL.
  
  Security:	CVE-2009-1378
  Obtained from:	OpenSSL CVS
  		http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15

Modified:
  vendor-crypto/openssl/dist/ssl/d1_both.c

Modified: vendor-crypto/openssl/dist/ssl/d1_both.c
==============================================================================
--- vendor-crypto/openssl/dist/ssl/d1_both.c	Sun Aug 23 13:58:25 2009	(r196461)
+++ vendor-crypto/openssl/dist/ssl/d1_both.c	Sun Aug 23 14:12:01 2009	(r196462)
@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
 		goto err;
 
-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
+	/* Try to find item in queue, to prevent duplicate entries */
+	pq_64bit_init(&seq64);
+	pq_64bit_assign_word(&seq64, msg_hdr->seq);
+	item = pqueue_find(s->d1->buffered_messages, seq64);
+	pq_64bit_free(&seq64);
+	
+	/* Discard the message if sequence number was already there, is
+	 * too far in the future or the fragment is already in the queue */
+	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
 		{
 		unsigned char devnull [256];