Skip to content

Commit

Permalink
Fix CVE-2014-0221
Browse files Browse the repository at this point in the history 
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
  • Loading branch information
@snhenson
snhenson committed Jun 5, 2014
1 parent 006cd70 commit d315265
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ssl/d1_both.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
int i,al;
struct hm_header_st msg_hdr;

redo:
/* see if we have the required fragment already */
if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
{
Expand Down Expand Up @@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
s->msg_callback_arg);

s->init_num = 0;
return dtls1_get_message_fragment(s, st1, stn,
max, ok);
goto redo;
}
else /* Incorrectly formated Hello request */
{
Expand Down

0 comments on commit d315265

Please sign in to comment.