[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Sat May 12 09:13:47 UTC 2018
The branch OpenSSL_1_0_2-stable has been updated
via f54b665e29a0ed8df2ea322a1f9e1b8057f13894 (commit)
from 18026c0215e942f0ad33a6012cb8cad2f51f841b (commit)
- Log -----------------------------------------------------------------
commit f54b665e29a0ed8df2ea322a1f9e1b8057f13894
Author: Matt Caswell <matt at openssl.org>
Date: Fri May 11 10:28:47 2018 +0100
Don't memcpy the contents of an empty fragment
In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.
Fixes a travis issue.
[extended tests]
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6225)
-----------------------------------------------------------------------
Summary of changes:
ssl/d1_both.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index e6bc761..8cf52fa 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -656,7 +656,8 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
al = dtls1_preprocess_fragment(s, &frag->msg_header, max);
- if (al == 0) { /* no alert */
+ /* al will be 0 if no alert */
+ if (al == 0 && frag->msg_header.frag_len > 0) {
unsigned char *p =
(unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
memcpy(&p[frag->msg_header.frag_off], frag->fragment,
More information about the openssl-commits
mailing list