Overview

File prevent_buffer_overread.patch of Package compat-openssl098.1637

Index: openssl-0.9.8j/ssl/d1_both.c
===================================================================
--- openssl-0.9.8j.orig/ssl/d1_both.c
+++ openssl-0.9.8j/ssl/d1_both.c
@@ -449,7 +449,7 @@ f_err:
 	}
 
 
-static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max)
+static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,long max)
 	{
 	size_t frag_off,frag_len,msg_len;
 
@@ -552,7 +552,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
 
 
 static int
-dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok, long max)
 {
 	int i=-1;
 	hm_fragment *frag = NULL;
@@ -560,7 +560,7 @@ dtls1_process_out_of_seq_message(SSL *s,
 	PQ_64BIT seq64;
 	unsigned long frag_len = msg_hdr->frag_len;
 
-	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || (msg_hdr->frag_off+frag_len) > (unsigned long)max)
 		goto err;
 
 	/* Try to find item in queue, to prevent duplicate entries */
@@ -656,7 +656,7 @@ dtls1_get_message_fragment(SSL *s, int s
 	 * (or dropped)--no further processing at this time 
 	 */
 	if ( msg_hdr.seq != s->d1->handshake_read_seq)
-		return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
+		return dtls1_process_out_of_seq_message(s, &msg_hdr, ok, max);
 
 	l = msg_hdr.msg_len;
 	frag_off = msg_hdr.frag_off;
openSUSE Build Service is sponsored by
Places