Attachment 901375 Details for Bug 1103598 – Upstream patch

[patch] Upstream patch

openssl-CVE-2014-0195.patch (text/plain), 1008 bytes, created by Huzaifa S. Sidhpurwala on 2014-06-02 08:31:02 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Huzaifa S. Sidhpurwala

Created: 2014-06-02 08:31:02 UTC

Size: 1008 bytes

patch

obsolete

>commit 208d54db20d58c9a5e45e856a0650caadd7d9612
>Author: Dr. Stephen Henson <steve@openssl.org>
>Date:   Tue May 13 18:48:31 2014 +0100
>
>    Fix for CVE-2014-0195
>    
>    A buffer overrun attack can be triggered by sending invalid DTLS fragments
>    to an OpenSSL DTLS client or server. This is potentially exploitable to
>    run arbitrary code on a vulnerable client or server.
>    
>    Fixed by adding consistency check for DTLS fragments.
>    
>    Thanks to JÃ¼ri Aedla for reporting this issue.
>
>diff --git a/ssl/d1_both.c b/ssl/d1_both.c
>index 2e8cf68..07f67f8 100644
>--- a/ssl/d1_both.c
>+++ b/ssl/d1_both.c
>@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
> 		frag->msg_header.frag_off = 0;
> 		}
> 	else
>+		{
> 		frag = (hm_fragment*) item->data;
>+		if (frag->msg_header.msg_len != msg_hdr->msg_len)
>+			{
>+			item = NULL;
>+			frag = NULL;
>+			goto err;
>+			}
>+		}
>+
> 
> 	/* If message is already reassembled, this must be a
> 	 * retransmit and can be dropped.
>

Actions: View | Diff

Attachments on bug 1103598: 901375