From 02db21dfb4d9ea76d83a10df6d46d8b511fcce50 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Sat, 23 May 2015 21:32:12 +0100 Subject: [PATCH] Don't send an alert if we've just received one If the record received is for a version that we don't support, previously we were sending an alert back. However if the incoming record already looks like an alert then probably we shouldn't do that. So suppress an outgoing alert if it looks like we've got one incoming. Reviewed-by: Kurt Roeckx --- ssl/record/ssl3_record.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 5070bc35c0..bae9490798 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -268,11 +268,22 @@ int ssl3_get_record(SSL *s) if (!s->first_packet && version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (version & 0xFF00) - && !s->enc_write_ctx && !s->write_hash) + && !s->enc_write_ctx && !s->write_hash) { + if (rr->type == SSL3_RT_ALERT) { + /* + * The record is using an incorrect version number, but + * what we've got appears to be an alert. We haven't + * read the body yet to check whether its a fatal or + * not - but chances are it is. We probably shouldn't + * send a fatal alert back. We'll just end. + */ + goto err; + } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; + } al = SSL_AD_PROTOCOL_VERSION; goto f_err; } -- 2.40.0