]>
Commit | Line | Data |
---|---|---|
215c1d6f AM |
1 | diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c |
2 | --- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200 | |
3 | +++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200 | |
4 | @@ -234,3 +234,17 @@ pqueue_next(pitem **item) | |
5 | ||
6 | return ret; | |
7 | } | |
8 | + | |
9 | +int | |
10 | +pqueue_size(pqueue_s *pq) | |
11 | +{ | |
12 | + pitem *item = pq->items; | |
13 | + int count = 0; | |
14 | + | |
15 | + while(item != NULL) | |
16 | + { | |
17 | + count++; | |
18 | + item = item->next; | |
19 | + } | |
20 | + return count; | |
21 | +} | |
22 | diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h | |
23 | --- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200 | |
24 | +++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200 | |
25 | @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); | |
26 | pitem *pqueue_next(piterator *iter); | |
27 | ||
28 | void pqueue_print(pqueue pq); | |
29 | +int pqueue_size(pqueue pq); | |
30 | ||
31 | #endif /* ! HEADER_PQUEUE_H */ | |
32 | diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c | |
33 | --- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200 | |
34 | +++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200 | |
35 | @@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, | |
36 | ||
37 | if ( s->d1->handshake_read_seq == frag->msg_header.seq) | |
38 | { | |
39 | + unsigned long frag_len = frag->msg_header.frag_len; | |
40 | pqueue_pop(s->d1->buffered_messages); | |
41 | ||
42 | al=dtls1_preprocess_fragment(s,&frag->msg_header,max); | |
43 | @@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, | |
44 | if (al==0) | |
45 | { | |
46 | *ok = 1; | |
47 | - return frag->msg_header.frag_len; | |
48 | + return frag_len; | |
49 | } | |
50 | ||
51 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
52 | @@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s, | |
53 | if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) | |
54 | goto err; | |
55 | ||
56 | - if (msg_hdr->seq <= s->d1->handshake_read_seq) | |
57 | + /* Try to find item in queue, to prevent duplicate entries */ | |
58 | + pq_64bit_init(&seq64); | |
59 | + pq_64bit_assign_word(&seq64, msg_hdr->seq); | |
60 | + item = pqueue_find(s->d1->buffered_messages, seq64); | |
61 | + pq_64bit_free(&seq64); | |
62 | + | |
63 | + /* Discard the message if sequence number was already there, is | |
64 | + * too far in the future or the fragment is already in the queue */ | |
65 | + if (msg_hdr->seq <= s->d1->handshake_read_seq || | |
66 | + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) | |
67 | { | |
68 | unsigned char devnull [256]; | |
69 | ||
70 | diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c | |
71 | --- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200 | |
72 | +++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200 | |
73 | @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu | |
74 | DTLS1_RECORD_DATA *rdata; | |
75 | pitem *item; | |
76 | ||
77 | + /* Limit the size of the queue to prevent DOS attacks */ | |
78 | + if (pqueue_size(queue->q) >= 100) | |
79 | + return 0; | |
80 | + | |
81 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | |
82 | item = pitem_new(priority, rdata); | |
83 | if (rdata == NULL || item == NULL) |