PR: 2739

Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix padding bugs in Heartbeat support.

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index b96e34f2e00fe72daed0064d232820efdaa92ada..5c47c7c19639022ee82277a9a440c275cef90c45 100644 (file)
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1422,8 +1422,9 @@ dtls1_process_heartbeat(SSL *s)
                *bp++ = TLS1_HB_RESPONSE;
                s2n(payload, bp);
                memcpy(bp, pl, payload);
                *bp++ = TLS1_HB_RESPONSE;
                s2n(payload, bp);
                memcpy(bp, pl, payload);

+               bp += payload;

                /* Random padding */
                /* Random padding */

-               RAND_pseudo_bytes(p, padding);
+               RAND_pseudo_bytes(bp, padding);

 
                r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
 
 
                r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
 

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f2e6b7cab2c3c9df9f768efffa55e1d5c2fa2dd2..9c76da1120a9a67cbc18df988f47d1dcdb08fc65 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2467,7 +2467,10 @@ tls1_process_heartbeat(SSL *s)
                *bp++ = TLS1_HB_RESPONSE;
                s2n(payload, bp);
                memcpy(bp, pl, payload);
                *bp++ = TLS1_HB_RESPONSE;
                s2n(payload, bp);
                memcpy(bp, pl, payload);

-               
+               bp += payload;
+               /* Random padding */
+               RAND_pseudo_bytes(bp, padding);
+

                r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
 
                if (r >= 0 && s->msg_callback)
                r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
 
                if (r >= 0 && s->msg_callback)