On Wed Dec 10 10:08:48 2014, v.badal...@open-bs.ru wrote:
> Also valgrind output
>
> ==17767== Thread 37:
> ==17767== Source and
> destination overlap in memcpy(0x253bfcbd, 0x7e9c51b,
> 4294967209)
^^^^^^^^^^^^ This is interesting. That equates to -87. I think there is a
signed/unsigned conversion issue going on here.
I have another patch. It is cummulative on the last one (i.e. apply the first
one, and then apply this one on top). Keep your other change too (although I
think that is an unrelated problem).
Let me know how you get on.
Matt
>From 922a4370ddbb8c43f2c977d8a9acecc0c153d7a4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Fri, 12 Dec 2014 15:32:24 +0000
Subject: [PATCH] DTLS fixes for signed/unsigned issues
Conflicts:
ssl/d1_both.c
---
ssl/d1_both.c | 41 ++++++++++++++++++++++++++++++-----------
1 file changed, 30 insertions(+), 11 deletions(-)
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 0781ca5..cc4673c 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -254,9 +254,9 @@ static int dtls1_query_mtu(SSL *s)
int dtls1_do_write(SSL *s, int type)
{
int ret;
- int curr_mtu;
+ unsigned int curr_mtu;
int retry = 1;
- unsigned int len, frag_off, mac_size, blocksize;
+ unsigned int len, frag_off, mac_size, blocksize, used_len;
if(!dtls1_query_mtu(s))
return -1;
@@ -301,10 +301,15 @@ int dtls1_do_write(SSL *s, int type)
blocksize = 0;
frag_off = 0;
- while( s->init_num)
+ /* s->init_num shouldn't ever be < 0...but just in case */
+ while( s->init_num > 0)
{
- curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) -
- DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
+ used_len = BIO_wpending(SSL_get_wbio(s)) + DTLS1_RT_HEADER_LENGTH
+ + mac_size + blocksize;
+ if(s->d1->mtu > used_len)
+ curr_mtu = s->d1->mtu - used_len;
+ else
+ curr_mtu = 0;
if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
{
@@ -312,15 +317,23 @@ int dtls1_do_write(SSL *s, int type)
ret = BIO_flush(SSL_get_wbio(s));
if ( ret <= 0)
return ret;
- curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
- mac_size - blocksize;
+ used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
+ if(s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH)
+ curr_mtu = s->d1->mtu - used_len;
+ else
+ /* Shouldn't happen */
+ return -1;
}
- if ( s->init_num > curr_mtu)
+ /* We just checked that s->init_num > 0 so this cast should be safe */
+ if (((unsigned int)s->init_num) > curr_mtu)
len = curr_mtu;
else
len = s->init_num;
+ /* Shouldn't ever happen */
+ if(len > INT_MAX)
+ len = INT_MAX;
/* XDTLS: this function is too long. split out the CCS part */
if ( type == SSL3_RT_HANDSHAKE)
@@ -331,11 +344,17 @@ int dtls1_do_write(SSL *s, int type)
s->init_off -= DTLS1_HM_HEADER_LENGTH;
s->init_num += DTLS1_HM_HEADER_LENGTH;
- /* write atleast DTLS1_HM_HEADER_LENGTH bytes */
- if ( len <= DTLS1_HM_HEADER_LENGTH)
- len += DTLS1_HM_HEADER_LENGTH;
+ /* We just checked that s->init_num > 0 so this cast should be safe */
+ if (((unsigned int)s->init_num) > curr_mtu)
+ len = curr_mtu;
+ else
+ len = s->init_num;
}
+ /* Shouldn't ever happen */
+ if(len > INT_MAX)
+ len = INT_MAX;
+
if ( len < DTLS1_HM_HEADER_LENGTH )
{
/*
--
2.1.0
_______________________________________________
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
