Hello,
Consider the following code:
int dtls1_buffer_message(SSL *s, int is_ccs)
{
pitem *item;
hm_fragment *frag;
PQ_64BIT seq64;
unsigned int epoch = s->d1->w_epoch;
// ... creation and initialization of frag ...
if ( is_ccs)
{
epoch++;
}
pq_64bit_init(&seq64);
// !!! Finished and CCS messages both have
// !!! equal value of (epoch<<16 | frag->msg_header.seq)
pq_64bit_assign_word(&seq64, epoch<<16 | frag->msg_header.seq);
item = pitem_new(seq64, frag);
pq_64bit_free(&seq64);
if ( item == NULL)
{
dtls1_hm_fragment_free(frag);
return 0;
}
// !!! This may return NULL, so item object should be freed.
pqueue_insert(s->d1->sent_messages, item);
}
Because of Finished and CCS messages both have equal value of "indexes"
in s->d1->sent_messages, Finished message is not inserted in the
sent_messages
(CSS message is inserted, firstly).
This leads to problems in retransmition and memory leak, because no one
checks
the return value of pqueue_insert(...).
Is it correct to use frag->msg_header.seq for CCS message? This message has
no
handshake seq number. May be retransmition should be placed to record level.
Pavel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
