Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment...

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 29df26e99a35f054081240dfae844f40e297fd5a..c195ee0f55888c2f070e4f7123a0c539c1e246fc 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -668,7 +668,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
        /* read the body of the fragment (header has already been read */
        i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
                frag->fragment + msg_hdr->frag_off,frag_len,0);
-       if (i<=0 || (unsigned long)i!=frag_len)
+       if ((unsigned long)i!=frag_len)
+               i=-1;
+       if (i<=0)
                goto err;
 
        RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,