Application data arriving between ChangeCipherSpec and Finished is buffered and processed after the handshake has been completed. While calling dtls1_buffer_record() a NULL-pointer was passed as priority. This causes a crash when multiple messages have to be buffered. With this patch the sequence number of the corresponding record is used as the priority as intended.
Thanks to Daniel Mentz for finding this bug.
--- ssl/d1_pkt.c 4 Oct 2009 16:52:35 -0000 1.27.2.18
+++ ssl/d1_pkt.c 3 Apr 2010 10:49:07 -0000
@@ -809,7 +809,7 @@
* buffer the application data for later processing rather
* than dropping the connection.
*/
- dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0);
+ dtls1_buffer_record(s, &(s->d1->buffered_app_data),
rr->seq_num);
rr->length = 0;
goto start;
}
dtls-buffer-bug-1.0.0.patch
Description: Binary data
dtls-buffer-bug-0.9.8.patch
Description: Binary data
