The reception of incomplete or incorrectly formatted DTLS fragments is handled with an OPENSSL_assert(), causing the program to exit rather then just terminating the connection. This patch exchanges the asserts with unexpected message and illegal parameter alerts.
Thanks to Zhu Qun-Ying for finding this bug!
Best regards
Robin
--- ssl/d1_both.c 23 Sep 2011 13:35:19 -0000 1.14.2.25
+++ ssl/d1_both.c 18 Oct 2011 13:16:22 -0000
@@ -793,7 +793,13 @@
*ok = 0;
return i;
}
- OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
+ /* Handshake fails if message header is incomplete */
+ if (i != DTLS1_HM_HEADER_LENGTH)
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+
SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
/* parse the message fragment header */
dtls1_get_message_header(wire, &msg_hdr);
@@ -865,7 +871,12 @@
/* XDTLS: an incorrectly formatted fragment should cause the
* handshake to fail */
- OPENSSL_assert(i == (int)frag_len);
+ if (i != (int)frag_len)
+ {
+ al=SSL3_AD_ILLEGAL_PARAMETER;
+
SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
+ goto f_err;
+ }
*ok = 1;
dtls-fragment-assert-bug-0.9.8.patch
Description: Binary data
dtls-fragment-assert-bug-1.0.0.patch
Description: Binary data
dtls-fragment-assert-bug-1.0.1.patch
Description: Binary data
