There is still a bug in the bitmask macros, reported by Daniel Mentz. While checking if the message is complete a read might occur beyond the bitmask array. This is fixed with this patch and the check is now also done backwards which should be faster usually.
Regards,
Robin
--- ssl/d1_both.c 14 Apr 2010 00:41:01 -0000 1.14.2.20
+++ ssl/d1_both.c 21 Apr 2010 13:32:23 -0000
@@ -132,15 +132,16 @@
} else { \
unsigned long ii; \
bitmask[((start) >> 3)] |=
bitmask_start_values[((start) & 7)]; \
- for (ii = (((start) >> 3) + 1); ii < ((end) >>
3); ii++) bitmask[ii] = 0xff; \
- bitmask[((end) >> 3)] |=
bitmask_end_values[((end) & 7)]; \
+ for (ii = (((start) >> 3) + 1); ii < (((end -
1)) >> 3); ii++) bitmask[ii] = 0xff; \
+ bitmask[(((end) - 1) >> 3)] |=
bitmask_end_values[((end) & 7)]; \
} }
#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
unsigned long ii; \
+ OPENSSL_assert((msg_len) > 0); \
is_complete = 1; \
- if (bitmask[((msg_len) >> 3)] !=
bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
- if (is_complete) for (ii = 0; ii < ((msg_len) >> 3);
ii++) \
+ if (bitmask[(((msg_len) - 1) >> 3)] !=
bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
+ if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1;
ii > 0 ; ii--) \
if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
#if 0
@@ -152,7 +153,7 @@
#endif
static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0,
0xe0, 0xc0, 0x80};
-static unsigned char bitmask_end_values[] = {0x00, 0x01, 0x03, 0x07, 0x0f,
0x1f, 0x3f, 0x7f};
+static unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f,
0x1f, 0x3f, 0x7f};
/* XDTLS: figure out the right values */
static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
dtls-bitmask.patch
Description: Binary data
