base/SOURCES/openssl-1.0.1e-cve-2015-020...

diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c
--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak	2015-01-13 11:44:12.410022377 +0100
+++ openssl-1.0.1e/ssl/d1_pkt.c	2015-01-13 11:50:40.062789458 +0100
@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu
 	/* Limit the size of the queue to prevent DOS attacks */
 	if (pqueue_size(queue->q) >= 100)
 		return 0;
-		
+
 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
 	item = pitem_new(priority, rdata);
 	if (rdata == NULL || item == NULL)
@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu
 	}
 #endif
 
-	/* insert should not fail, since duplicates are dropped */
-	if (pqueue_insert(queue->q, item) == NULL)
-		{
-		OPENSSL_free(rdata);
-		pitem_free(item);
-		return(0);
-		}
-
 	s->packet = NULL;
 	s->packet_length = 0;
 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu
 	if (!ssl3_setup_buffers(s))
 		{
 		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+		if (rdata->rbuf.buf != NULL)
+			OPENSSL_free(rdata->rbuf.buf);
 		OPENSSL_free(rdata);
 		pitem_free(item);
-		return(0);
+		return(-1);
 		}
-	
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+		if (rdata->rbuf.buf != NULL)
+			OPENSSL_free(rdata->rbuf.buf);
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(-1);
+		}
+
 	return(1);
 	}
 
@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s)
             dtls1_get_unprocessed_record(s);
             if ( ! dtls1_process_record(s))
                 return(0);
-            dtls1_buffer_record(s, &(s->d1->processed_rcds), 
-                s->s3->rrec.seq_num);
+            if(dtls1_buffer_record(s, &(s->d1->processed_rcds),
+                s->s3->rrec.seq_num)<0)
+                return -1;
             }
         }
 
@@ -529,7 +535,6 @@ printf("\n");
 
 	/* we have pulled in a full packet so zero things */
 	s->packet_length=0;
-	dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
 	return(1);
 
 f_err:
@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s)
 
 	/* The epoch may have changed.  If so, process all the
 	 * pending records.  This is a non-blocking operation. */
-	dtls1_process_buffered_records(s);
+	if(dtls1_process_buffered_records(s)<0)
+		return -1;
 
 	/* if we're renegotiating, then there may be buffered records */
 	if (dtls1_get_processed_record(s))
@@ -699,7 +705,9 @@ again:
 		{
 		if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
 			{
-			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+			if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)
+				return -1;
+			dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
 			}
 		rr->length = 0;
 		s->packet_length = 0;
@@ -712,6 +720,7 @@ again:
 		s->packet_length = 0;  /* dump this record */
 		goto again;   /* get another record */
 		}
+	dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
 
 	return(1);
 
@@ -863,7 +872,11 @@ start:
 		 * buffer the application data for later processing rather
 		 * than dropping the connection.
 		 */
-		dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
+		if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0)
+			{
+			SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
+			return -1;
+			}
 		rr->length = 0;
 		goto start;
 		}
openssl package update Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org> 7 years ago			`diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c`
			`--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak 2015-01-13 11:44:12.410022377 +0100`
			`+++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-13 11:50:40.062789458 +0100`
			`@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu`
			`/* Limit the size of the queue to prevent DOS attacks */`
			`if (pqueue_size(queue->q) >= 100)`
			`return 0;`
			`-`
			`+`
			`rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));`
			`item = pitem_new(priority, rdata);`
			`if (rdata == NULL \|\| item == NULL)`
			`@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu`
			`}`
			`#endif`

			`- /* insert should not fail, since duplicates are dropped */`
			`- if (pqueue_insert(queue->q, item) == NULL)`
			`- {`
			`- OPENSSL_free(rdata);`
			`- pitem_free(item);`
			`- return(0);`
			`- }`
			`-`
			`s->packet = NULL;`
			`s->packet_length = 0;`
			`memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));`
			`@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu`
			`if (!ssl3_setup_buffers(s))`
			`{`
			`SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);`
			`+ if (rdata->rbuf.buf != NULL)`
			`+ OPENSSL_free(rdata->rbuf.buf);`
			`OPENSSL_free(rdata);`
			`pitem_free(item);`
			`- return(0);`
			`+ return(-1);`
			`}`
			`-`
			`+`
			`+ /* insert should not fail, since duplicates are dropped */`
			`+ if (pqueue_insert(queue->q, item) == NULL)`
			`+ {`
			`+ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);`
			`+ if (rdata->rbuf.buf != NULL)`
			`+ OPENSSL_free(rdata->rbuf.buf);`
			`+ OPENSSL_free(rdata);`
			`+ pitem_free(item);`
			`+ return(-1);`
			`+ }`
			`+`
			`return(1);`
			`}`

			`@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s)`
			`dtls1_get_unprocessed_record(s);`
			`if ( ! dtls1_process_record(s))`
			`return(0);`
			`- dtls1_buffer_record(s, &(s->d1->processed_rcds),`
			`- s->s3->rrec.seq_num);`
			`+ if(dtls1_buffer_record(s, &(s->d1->processed_rcds),`
			`+ s->s3->rrec.seq_num)<0)`
			`+ return -1;`
			`}`
			`}`

			`@@ -529,7 +535,6 @@ printf("\n");`

			`/* we have pulled in a full packet so zero things */`
			`s->packet_length=0;`
			`- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */`
			`return(1);`

			`f_err:`
			`@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s)`

			`/* The epoch may have changed. If so, process all the`
			`* pending records. This is a non-blocking operation. */`
			`- dtls1_process_buffered_records(s);`
			`+ if(dtls1_process_buffered_records(s)<0)`
			`+ return -1;`

			`/* if we're renegotiating, then there may be buffered records */`
			`if (dtls1_get_processed_record(s))`
			`@@ -699,7 +705,9 @@ again:`
			`{`
			`if ((SSL_in_init(s) \|\| s->in_handshake) && !s->d1->listen)`
			`{`
			`- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);`
			`+ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)`
			`+ return -1;`
			`+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */`
			`}`
			`rr->length = 0;`
			`s->packet_length = 0;`
			`@@ -712,6 +720,7 @@ again:`
			`s->packet_length = 0; /* dump this record */`
			`goto again; /* get another record */`
			`}`
			`+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */`

			`return(1);`

			`@@ -863,7 +872,11 @@ start:`
			`* buffer the application data for later processing rather`
			`* than dropping the connection.`
			`*/`
			`- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);`
			`+ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0)`
			`+ {`
			`+ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);`
			`+ return -1;`
			`+ }`
			`rr->length = 0;`
			`goto start;`
			`}`