Deal with the unlikely event that EVP_MD_CTX_size() returns an error.

[openssl.git] / ssl / d1_pkt.c

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 0321ee7f15ae2c4c7c3e0efa48511365f0381bb8..75c2b63f3ecaf3e17ee4c137b6f784f5ef053fab 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -428,6 +428,12 @@ printf("\n");
        if (!clear)
                {
                mac_size=EVP_MD_CTX_size(s->read_hash);
+               if (mac_size <= 0)
+                       {
+                       al=SSL_AD_INTERNAL_ERROR;
+                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_MAC_LENGTH);
+                       goto f_err;
+                       }
 
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
                        {
@@ -635,6 +641,7 @@ again:
        /* check whether this is a repeat, or aged record */
        if ( ! dtls1_record_replay_check(s, bitmap))
                {
+               rr->length = 0;
                s->packet_length=0; /* dump this record */
                goto again;     /* get another record */
                }