[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Sat May 12 09:03:42 UTC 2018

The branch master has been updated
       via  a925e7dbf4c3bb01365c961df86da3ebfa1a6c27 (commit)
      from  c82c3462267afdbbaa53e11da0508ce4e03c02b3 (commit)

- Log -----------------------------------------------------------------
commit a925e7dbf4c3bb01365c961df86da3ebfa1a6c27
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 11 10:28:47 2018 +0100

    Don't memcpy the contents of an empty fragment
    In DTLS if we have buffered a fragment for a zero length message (e.g.
    ServerHelloDone) then, when we unbuffered the fragment, we were attempting
    to memcpy the contents of the fragment which is zero length and a NULL
    pointer. This is undefined behaviour. We should check first whether we
    have a zero length fragment.
    Fixes a travis issue.
    [extended tests]
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6223)


Summary of changes:
 ssl/statem/statem_dtls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 75ff525..b016fa7 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -504,7 +504,7 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, size_t *len)
         /* Calls SSLfatal() as required */
         ret = dtls1_preprocess_fragment(s, &frag->msg_header);
-        if (ret) {
+        if (ret && frag->msg_header.frag_len > 0) {
             unsigned char *p =
                 (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
             memcpy(&p[frag->msg_header.frag_off], frag->fragment,

More information about the openssl-commits mailing list