Whenever a handshake message arrives with an unexpected sequence number, it is passed to the function dtls1_process_out_of_seq_message(). This function discards the data if the sequence number is lower than the expected value and buffers it, if is a future message. When discarding, the message fragment length remains 0 which indicates that nothing has to be buffered. Due to a misplaced if condition to check the length, sometimes fragments with no data but with the length of the dropped message are buffered. This causes a bus error when processing later.
--- ssl/d1_both.c 2007-10-17 23:17:49.000000000 +0200 +++ ssl/d1_both.c 2009-02-05 16:29:12.000000000 +0100 @@ -575,30 +575,31 @@ } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; + if (frag_len) + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { - /* read the body of the fragment (header has already been read */ + /* read the body of the fragment (header has already been read) */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; - } - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, msg_hdr->seq); + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); - item = pitem_new(seq64, frag); - pq_64bit_free(&seq64); - if ( item == NULL) - goto err; + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + } - pqueue_insert(s->d1->buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org