From: Dr. Stephen Henson <steve@openssl.org>
Date: Sat, 3 Jan 2015 00:45:13 +0000 (+0000)
Subject: Fix crash in dtls1_get_record whilst in the listen state where you get two
X-Git-Tag: OpenSSL_0_9_8zd~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=46bf0ba87665c5aa215673d87e9ee7dd4ce28359;p=openssl

Fix crash in dtls1_get_record whilst in the listen state where you get two
separate reads performed - one for the header and one for the body of the
handshake record.

CVE-2014-3571

Reviewed-by: Matt Caswell <matt@openssl.org>

Conflicts:
	ssl/s3_pkt.c
---

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index d12604e657..5eac25fbdd 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -595,8 +595,6 @@ again:
 		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
 		i=rr->length;
 		n=ssl3_read_n(s,i,i,1);
-		if (n <= 0) return(n); /* error or non-blocking io */
-
 		/* this packet contained a partial record, dump it */
 		if ( n != i)
 			{
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index a3b45fba9d..1adc301911 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -147,6 +147,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 	 * at once (as long as it fits into the buffer). */
 	if (SSL_version(s) == DTLS1_VERSION)
 		{
+		if (s->s3->rbuf.left == 0 && extend)
+			return 0;
 		if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
 			n = s->s3->rbuf.left;
 		}