[packages/openssl.git] / openssl-CVE-2009-1377-1378-1379.patch

diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos	2005-06-28 14:53:33.000000000 +0200
+++ openssl-0.9.8k/crypto/pqueue/pqueue.c	2009-05-21 18:26:29.000000000 +0200
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
 
 	return ret;
 	}
+
+int
+pqueue_size(pqueue_s *pq)
+{
+	pitem *item = pq->items;
+	int count = 0;
+	
+	while(item != NULL)
+	{
+		count++;
+		item = item->next;
+	}
+	return count;
+}
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos	2009-04-21 11:43:58.000000000 +0200
+++ openssl-0.9.8k/crypto/pqueue/pqueue.h	2009-05-21 18:26:29.000000000 +0200
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
 
 void   pqueue_print(pqueue pq);
+int    pqueue_size(pqueue pq);
 
 #endif /* ! HEADER_PQUEUE_H */
diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos	2007-10-17 23:17:49.000000000 +0200
+++ openssl-0.9.8k/ssl/d1_both.c	2009-05-21 18:26:29.000000000 +0200
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
 
 	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
 		{
+		unsigned long frag_len = frag->msg_header.frag_len;
 		pqueue_pop(s->d1->buffered_messages);
 
 		al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
 		if (al==0)
 			{
 			*ok = 1;
-			return frag->msg_header.frag_len;
+			return frag_len;
 			}
 
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
 		goto err;
 
-	if (msg_hdr->seq <= s->d1->handshake_read_seq)
+	/* Try to find item in queue, to prevent duplicate entries */
+	pq_64bit_init(&seq64);
+	pq_64bit_assign_word(&seq64, msg_hdr->seq);
+	item = pqueue_find(s->d1->buffered_messages, seq64);
+	pq_64bit_free(&seq64);
+	
+	/* Discard the message if sequence number was already there, is
+	 * too far in the future or the fragment is already in the queue */
+	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
+		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
 		{
 		unsigned char devnull [256];
 
diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos	2009-04-21 11:44:02.000000000 +0200
+++ openssl-0.9.8k/ssl/d1_pkt.c	2009-05-21 18:26:29.000000000 +0200
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
     DTLS1_RECORD_DATA *rdata;
 	pitem *item;
 
+	/* Limit the size of the queue to prevent DOS attacks */
+	if (pqueue_size(queue->q) >= 100)
+		return 0;
+		
 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
 	item = pitem_new(priority, rdata);
 	if (rdata == NULL || item == NULL)
Commit	Line	Data
215c1d6f AM	1	diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
	2	--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
	3	+++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200
	4	@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
	5
	6	return ret;
	7	}
	8	+
	9	+int
	10	+pqueue_size(pqueue_s *pq)
	11	+{
	12	+ pitem *item = pq->items;
	13	+ int count = 0;
	14	+
	15	+ while(item != NULL)
	16	+ {
	17	+ count++;
	18	+ item = item->next;
	19	+ }
	20	+ return count;
	21	+}
	22	diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
	23	--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200
	24	+++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200
	25	@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
	26	pitem pqueue_next(piterator iter);
	27
	28	void pqueue_print(pqueue pq);
	29	+int pqueue_size(pqueue pq);
	30
	31	#endif /* ! HEADER_PQUEUE_H */
	32	diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
	33	--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200
	34	+++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200
	35	@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
	36
	37	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
	38	{
	39	+ unsigned long frag_len = frag->msg_header.frag_len;
	40	pqueue_pop(s->d1->buffered_messages);
	41
	42	al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
	43	@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
	44	if (al==0)
	45	{
	46	*ok = 1;
	47	- return frag->msg_header.frag_len;
	48	+ return frag_len;
	49	}
	50
	51	ssl3_send_alert(s,SSL3_AL_FATAL,al);
	52	@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
	53	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
	54	goto err;
	55
	56	- if (msg_hdr->seq <= s->d1->handshake_read_seq)
	57	+ /* Try to find item in queue, to prevent duplicate entries */
	58	+ pq_64bit_init(&seq64);
	59	+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
	60	+ item = pqueue_find(s->d1->buffered_messages, seq64);
	61	+ pq_64bit_free(&seq64);
	62	+
	63	+ /* Discard the message if sequence number was already there, is
	64	+ * too far in the future or the fragment is already in the queue */
65	+ if (msg_hdr->seq <= s->d1->handshake_read_seq \|\|
66	+ msg_hdr->seq > s->d1->handshake_read_seq + 10 \|\| item != NULL)
67	{
68	unsigned char devnull [256];
69
70	diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
71	--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200
72	+++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200
73	@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
74	DTLS1_RECORD_DATA *rdata;
75	pitem *item;
76
77	+ /* Limit the size of the queue to prevent DOS attacks */
78	+ if (pqueue_size(queue->q) >= 100)
79	+ return 0;
80	+
81	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
82	item = pitem_new(priority, rdata);
83	if (rdata == NULL \|\| item == NULL)