summaryrefslogtreecommitdiff
path: root/external/openssl/CVE-2014-3507.patch
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2014-10-17 11:07:59 +0100
committerAndras Timar <andras.timar@collabora.com>2014-10-17 06:23:22 -0700
commit2ae53ab6e6e8eee4384648ab8b40bba72ce746ba (patch)
treeed001823d7932838e2356390484e4f9d2dbcaf9a /external/openssl/CVE-2014-3507.patch
parentc1b850ed0ad3740fb7dc731f0f1bb49b7f5562d4 (diff)
CVE-2014-3566 (etc)
i.e. sync with fedora 20 openssl-1.0.1e security backports Change-Id: I9e07d3aad7f0c7a3fd684d4e52b3b952cfb2f82d
Diffstat (limited to 'external/openssl/CVE-2014-3507.patch')
-rw-r--r--external/openssl/CVE-2014-3507.patch53
1 files changed, 53 insertions, 0 deletions
diff --git a/external/openssl/CVE-2014-3507.patch b/external/openssl/CVE-2014-3507.patch
new file mode 100644
index 000000000000..4ea0b69ab21a
--- /dev/null
+++ b/external/openssl/CVE-2014-3507.patch
@@ -0,0 +1,53 @@
+diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c
+--- a/a/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200
++++ b/b/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200
+@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct
+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
+ goto err;
+
++ if (frag_len == 0)
++ return DTLS1_HM_FRAGMENT_RETRY;
++
+ /* Try to find item in queue */
+ memset(seq64be,0,sizeof(seq64be));
+ seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
+@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct
+ i = -1;
+ }
+
+- pqueue_insert(s->d1->buffered_messages, item);
++ item = pqueue_insert(s->d1->buffered_messages, item);
++ /* pqueue_insert fails iff a duplicate item is inserted.
++ * However, |item| cannot be a duplicate. If it were,
++ * |pqueue_find|, above, would have returned it and control
++ * would never have reached this branch. */
++ OPENSSL_assert(item != NULL);
+ }
+
+ return DTLS1_HM_FRAGMENT_RETRY;
+@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s,
+ }
+ else
+ {
+- if (frag_len && frag_len < msg_hdr->msg_len)
++ if (frag_len < msg_hdr->msg_len)
+ return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
+ if (frag_len > dtls1_max_handshake_message_len(s))
+@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s,
+ if ( item == NULL)
+ goto err;
+
+- pqueue_insert(s->d1->buffered_messages, item);
++ item = pqueue_insert(s->d1->buffered_messages, item);
++ /* pqueue_insert fails iff a duplicate item is inserted.
++ * However, |item| cannot be a duplicate. If it were,
++ * |pqueue_find|, above, would have returned it. Then, either
++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
++ * to NULL and it will have been processed with
++ * |dtls1_reassemble_fragment|, above, or the record will have
++ * been discarded. */
++ OPENSSL_assert(item != NULL);
+ }
+
+ return DTLS1_HM_FRAGMENT_RETRY;