Whenever a handshake message arrives with an unexpected sequence
number, it is passed to the function
dtls1_process_out_of_seq_message(). This function discards the data if
the sequence number is lower than the expected value and buffers it,
if is a future message. When discarding, the message fragment length
remains 0 which indicates that nothing has to be buffered. Due to a
misplaced if condition to check the length, sometimes fragments with
no data but with the length of the dropped message are buffered. This
causes a bus error when processing later.
--- ssl/d1_both.c 2007-10-17 23:17:49.000000000 +0200
+++ ssl/d1_both.c 2009-02-05 16:29:12.000000000 +0100
@@ -575,30 +575,31 @@
}
}
- frag = dtls1_hm_fragment_new(frag_len);
- if ( frag == NULL)
- goto err;
+ if (frag_len)
+ {
+ frag = dtls1_hm_fragment_new(frag_len);
+ if ( frag == NULL)
+ goto err;
- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
- if (frag_len)
- {
- /* read the body of the fragment (header has already been read
*/
+ /* read the body of the fragment (header has already been read)
*/
i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
frag->fragment,frag_len,0);
if (i<=0 || (unsigned long)i!=frag_len)
goto err;
- }
- pq_64bit_init(&seq64);
- pq_64bit_assign_word(&seq64, msg_hdr->seq);
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
- item = pitem_new(seq64, frag);
- pq_64bit_free(&seq64);
- if ( item == NULL)
- goto err;
+ item = pitem_new(seq64, frag);
+ pq_64bit_free(&seq64);
+ if ( item == NULL)
+ goto err;
+
+ pqueue_insert(s->d1->buffered_messages, item);
+ }
- pqueue_insert(s->d1->buffered_messages, item);
return DTLS1_HM_FRAGMENT_RETRY;
err:
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
