wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Check the message type requested is the type received in DTLS

Browse source 
dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.

Reviewed-by: Andy Polyakov <appro@openssl.org>
This commit is contained in:
Matt Caswell 2015-05-29 17:05:01 +01:00
parent 1c8a527cff
commit 8c2b1d872b
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
ssl/d1_both.c
View file

@ -478,6 +478,12 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
return i;
}
if (mt >= 0 && s->s3->tmp.message_type != mt) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
}
p = (unsigned char *)s->init_buf->data;
msg_len = msg_hdr->msg_len;