873071e844cbaf0b45420b90645e70d6cbd36937
[packages/openssl.git] / openssl-CVE-2009-1377-1378-1379.patch
1 diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
2 --- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos      2005-06-28 14:53:33.000000000 +0200
3 +++ openssl-0.9.8k/crypto/pqueue/pqueue.c       2009-05-21 18:26:29.000000000 +0200
4 @@ -234,3 +234,17 @@ pqueue_next(pitem **item)
5  
6         return ret;
7         }
8 +
9 +int
10 +pqueue_size(pqueue_s *pq)
11 +{
12 +       pitem *item = pq->items;
13 +       int count = 0;
14 +       
15 +       while(item != NULL)
16 +       {
17 +               count++;
18 +               item = item->next;
19 +       }
20 +       return count;
21 +}
22 diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
23 --- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos      2009-04-21 11:43:58.000000000 +0200
24 +++ openssl-0.9.8k/crypto/pqueue/pqueue.h       2009-05-21 18:26:29.000000000 +0200
25 @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
26  pitem *pqueue_next(piterator *iter);
27  
28  void   pqueue_print(pqueue pq);
29 +int    pqueue_size(pqueue pq);
30  
31  #endif /* ! HEADER_PQUEUE_H */
32 diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
33 --- openssl-0.9.8k/ssl/d1_both.c.dtls-dos       2007-10-17 23:17:49.000000000 +0200
34 +++ openssl-0.9.8k/ssl/d1_both.c        2009-05-21 18:26:29.000000000 +0200
35 @@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
36  
37         if ( s->d1->handshake_read_seq == frag->msg_header.seq)
38                 {
39 +               unsigned long frag_len = frag->msg_header.frag_len;
40                 pqueue_pop(s->d1->buffered_messages);
41  
42                 al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
43 @@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
44                 if (al==0)
45                         {
46                         *ok = 1;
47 -                       return frag->msg_header.frag_len;
48 +                       return frag_len;
49                         }
50  
51                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
52 @@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
53         if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
54                 goto err;
55  
56 -       if (msg_hdr->seq <= s->d1->handshake_read_seq)
57 +       /* Try to find item in queue, to prevent duplicate entries */
58 +       pq_64bit_init(&seq64);
59 +       pq_64bit_assign_word(&seq64, msg_hdr->seq);
60 +       item = pqueue_find(s->d1->buffered_messages, seq64);
61 +       pq_64bit_free(&seq64);
62 +       
63 +       /* Discard the message if sequence number was already there, is
64 +        * too far in the future or the fragment is already in the queue */
65 +       if (msg_hdr->seq <= s->d1->handshake_read_seq ||
66 +               msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
67                 {
68                 unsigned char devnull [256];
69  
70 diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
71 --- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos        2009-04-21 11:44:02.000000000 +0200
72 +++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200
73 @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
74      DTLS1_RECORD_DATA *rdata;
75         pitem *item;
76  
77 +       /* Limit the size of the queue to prevent DOS attacks */
78 +       if (pqueue_size(queue->q) >= 100)
79 +               return 0;
80 +               
81         rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
82         item = pitem_new(priority, rdata);
83         if (rdata == NULL || item == NULL)
This page took 0.029774 seconds and 2 git commands to generate.