Firstly, the bitmap we use for replay protection was ending up with zero
length, so a _single_ pair of packets getting switched around would cause one of them to be 'dropped'. Secondly, it wasn't even _dropping_ the offending packets, in the non-blocking case. It was just returning garbage instead. PR: #1752 Submitted by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
Lutz Jänicke
parent
ab073bad4f
commit
4db3e88459
2 changed files with 2 additions and 0 deletions
|
|
@ -106,6 +106,7 @@ int dtls1_new(SSL *s)
|
|||
pq_64bit_init(&(d1->bitmap.map));
|
||||
pq_64bit_init(&(d1->bitmap.max_seq_num));
|
||||
|
||||
d1->next_bitmap.length = d1->bitmap.length;
|
||||
pq_64bit_init(&(d1->next_bitmap.map));
|
||||
pq_64bit_init(&(d1->next_bitmap.max_seq_num));
|
||||
|
||||
|
|
|
|||
|
|
@ -597,6 +597,7 @@ again:
|
|||
/* check whether this is a repeat, or aged record */
|
||||
if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
|
||||
{
|
||||
rr->length = 0;
|
||||
s->packet_length=0; /* dump this record */
|
||||
goto again; /* get another record */
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue