You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
116 lines
3.4 KiB
116 lines
3.4 KiB
diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c |
|
--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak 2015-01-13 11:44:12.410022377 +0100 |
|
+++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-13 11:50:40.062789458 +0100 |
|
@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu |
|
/* Limit the size of the queue to prevent DOS attacks */ |
|
if (pqueue_size(queue->q) >= 100) |
|
return 0; |
|
- |
|
+ |
|
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); |
|
item = pitem_new(priority, rdata); |
|
if (rdata == NULL || item == NULL) |
|
@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu |
|
} |
|
#endif |
|
|
|
- /* insert should not fail, since duplicates are dropped */ |
|
- if (pqueue_insert(queue->q, item) == NULL) |
|
- { |
|
- OPENSSL_free(rdata); |
|
- pitem_free(item); |
|
- return(0); |
|
- } |
|
- |
|
s->packet = NULL; |
|
s->packet_length = 0; |
|
memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); |
|
@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu |
|
if (!ssl3_setup_buffers(s)) |
|
{ |
|
SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); |
|
+ if (rdata->rbuf.buf != NULL) |
|
+ OPENSSL_free(rdata->rbuf.buf); |
|
OPENSSL_free(rdata); |
|
pitem_free(item); |
|
- return(0); |
|
+ return(-1); |
|
} |
|
- |
|
+ |
|
+ /* insert should not fail, since duplicates are dropped */ |
|
+ if (pqueue_insert(queue->q, item) == NULL) |
|
+ { |
|
+ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); |
|
+ if (rdata->rbuf.buf != NULL) |
|
+ OPENSSL_free(rdata->rbuf.buf); |
|
+ OPENSSL_free(rdata); |
|
+ pitem_free(item); |
|
+ return(-1); |
|
+ } |
|
+ |
|
return(1); |
|
} |
|
|
|
@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s) |
|
dtls1_get_unprocessed_record(s); |
|
if ( ! dtls1_process_record(s)) |
|
return(0); |
|
- dtls1_buffer_record(s, &(s->d1->processed_rcds), |
|
- s->s3->rrec.seq_num); |
|
+ if(dtls1_buffer_record(s, &(s->d1->processed_rcds), |
|
+ s->s3->rrec.seq_num)<0) |
|
+ return -1; |
|
} |
|
} |
|
|
|
@@ -529,7 +535,6 @@ printf("\n"); |
|
|
|
/* we have pulled in a full packet so zero things */ |
|
s->packet_length=0; |
|
- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ |
|
return(1); |
|
|
|
f_err: |
|
@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s) |
|
|
|
/* The epoch may have changed. If so, process all the |
|
* pending records. This is a non-blocking operation. */ |
|
- dtls1_process_buffered_records(s); |
|
+ if(dtls1_process_buffered_records(s)<0) |
|
+ return -1; |
|
|
|
/* if we're renegotiating, then there may be buffered records */ |
|
if (dtls1_get_processed_record(s)) |
|
@@ -699,7 +705,9 @@ again: |
|
{ |
|
if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) |
|
{ |
|
- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); |
|
+ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0) |
|
+ return -1; |
|
+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ |
|
} |
|
rr->length = 0; |
|
s->packet_length = 0; |
|
@@ -712,6 +720,7 @@ again: |
|
s->packet_length = 0; /* dump this record */ |
|
goto again; /* get another record */ |
|
} |
|
+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ |
|
|
|
return(1); |
|
|
|
@@ -863,7 +872,11 @@ start: |
|
* buffer the application data for later processing rather |
|
* than dropping the connection. |
|
*/ |
|
- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); |
|
+ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0) |
|
+ { |
|
+ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); |
|
+ return -1; |
|
+ } |
|
rr->length = 0; |
|
goto start; |
|
}
|
|
|