On Thu, 2008-10-02 at 05:47 +0100, David Woodhouse wrote:
> I can reproduce this failure at will. All I need to do is set up a DTLS
> connection, then somehow cause the write() call on the UDP socket to
> return an error -- a firewall is an easy way of achieving that.
The whole _point_ of DTLS is that it's a datagram service. That
datagrams go missing. So buffering them up when we fail to send them --
even if we _weren't_ then going to crap ourselves and abort() as a
result -- was a bad idea in the first place.
(I include DTLS1_BAD_VER here because of RT#1751)
--- openssl-0.9.8g/ssl/s3_pkt.c~ 2006-11-29 14:45:14.000000000 +0000
+++ openssl-0.9.8g/ssl/s3_pkt.c 2008-10-02 06:41:07.000000000 +0100
@@ -753,8 +753,15 @@ int ssl3_write_pending(SSL *s, int type,
s->rwstate=SSL_NOTHING;
return(s->s3->wpend_ret);
}
- else if (i <= 0)
+ else if (i <= 0) {
+ if (s->version == DTLS1_VERSION ||
+ s->version == DTLS1_BAD_VER) {
+ /* For DTLS, just drop it. That's kind of the
whole
+ point in using a datagram service */
+ s->s3->wbuf.left = 0;
+ }
return(i);
+ }
s->s3->wbuf.offset+=i;
s->s3->wbuf.left-=i;
}
--
David Woodhouse Open Source Technology Centre
[EMAIL PROTECTED] Intel Corporation
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
