{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1756579214, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"a5bc25e456dbf196727edb42e8aebbc4", "commit": {"type":"commit", "time": 1407353800, "time_ofs": 60, "oid_tree": { "oid": "53cac245a28fc2ca9f88427a7e8979e02a617243", "alias": []}, "oid":{ "oid": "d0a4b7d1a2948fce38515b8d862f43e7ba0ebf74", "alias": []}, "msg": "Fix memory leak from zero-length DTLS fragments.", "sig_commit": { "git_time": { "time": 1407353800, "offset": 60 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1402090233, "offset": -420 }, "name": "Adam Langley", "email": "agl@imperialviolet.org", "md5": "a0b368e7617c04a13c2336d56507e884" }}, "body": "Fix memory leak from zero-length DTLS fragments.\n\nThe |pqueue_insert| function can fail if one attempts to insert a\nduplicate sequence number. When handling a fragment of an out of\nsequence message, |dtls1_process_out_of_seq_message| would not call\n|dtls1_reassemble_fragment| if the fragment's length was zero. It would\nthen allocate a fresh fragment and attempt to insert it, but ignore the\nreturn value, leaking the fragment.\n\nThis allows an attacker to exhaust the memory of a DTLS peer.\n\nFixes CVE-2014-3507\n\nReviewed-by: Matt Caswell \u003cmatt@openssl.org\u003e\nReviewed-by: Emilia Käsper \u003cemilia@openssl.org\u003e\n" , "diff": "diff --git a/ssl/d1_both.c b/ssl/d1_both.c\nindex c5beea8..4d8d2d1 100644\n--- a/ssl/d1_both.c\n+++ b/ssl/d1_both.c\n@@ -616,6 +616,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)\n \t msg_hdr-\u003emsg_len \u003e dtls1_max_handshake_message_len(s))\n \t\tgoto err;\n \n+\tif (frag_len \u003d\u003d 0)\n+\t\treturn DTLS1_HM_FRAGMENT_RETRY;\n+\n \t/* Try to find item in queue */\n \tmemset(seq64be,0,sizeof(seq64be));\n \tseq64be[6] \u003d (unsigned char) (msg_hdr-\u003eseq\u003e\u003e8);\n@@ -693,7 +696,12 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)\n \t\t\tgoto err;\n \t\t\t}\n \n-\t\tpqueue_insert(s-\u003ed1-\u003ebuffered_messages, item);\n+\t\titem \u003d pqueue_insert(s-\u003ed1-\u003ebuffered_messages, item);\n+\t\t/* pqueue_insert fails iff a duplicate item is inserted.\n+\t\t * However, |item| cannot be a duplicate. If it were,\n+\t\t * |pqueue_find|, above, would have returned it and control\n+\t\t * would never have reached this branch. */\n+\t\tOPENSSL_assert(item !\u003d NULL);\n \t\t}\n \n \treturn DTLS1_HM_FRAGMENT_RETRY;\n@@ -751,7 +759,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)\n \t\t}\n \telse\n \t\t{\n-\t\tif (frag_len \u0026\u0026 frag_len \u003c msg_hdr-\u003emsg_len)\n+\t\tif (frag_len \u003c msg_hdr-\u003emsg_len)\n \t\t\treturn dtls1_reassemble_fragment(s, msg_hdr, ok);\n \n \t\tif (frag_len \u003e dtls1_max_handshake_message_len(s))\n@@ -780,7 +788,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)\n \t\tif ( item \u003d\u003d NULL)\n \t\t\tgoto err;\n \n-\t\tpqueue_insert(s-\u003ed1-\u003ebuffered_messages, item);\n+\t\titem \u003d pqueue_insert(s-\u003ed1-\u003ebuffered_messages, item);\n+\t\t/* pqueue_insert fails iff a duplicate item is inserted.\n+\t\t * However, |item| cannot be a duplicate. If it were,\n+\t\t * |pqueue_find|, above, would have returned it. Then, either\n+\t\t * |frag_len| !\u003d |msg_hdr-\u003emsg_len| in which case |item| is set\n+\t\t * to NULL and it will have been processed with\n+\t\t * |dtls1_reassemble_fragment|, above, or the record will have\n+\t\t * been discarded. */\n+\t\tOPENSSL_assert(item !\u003d NULL);\n \t\t}\n \n \treturn DTLS1_HM_FRAGMENT_RETRY;\n","s":{"c":1756579214,"u": 9183}} ],"g": 10093,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}