From cce3e4adb78a8d3eeb6e0e4efe332fcc5d75f615 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 9 Mar 2015 16:09:04 +0000 Subject: [PATCH] Clear state in DTLSv1_listen This is a backport of commit e83ee04bb7de800cdb71d522fa562e99328003a3 from the master branch (and this has also been applied to 1.0.2). In 1.0.2 this was CVE-2015-0207. For other branches there is no known security issue, but this is being backported as a precautionary measure. The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invokation to the next. Reviewed-by: Richard Levitte --- ssl/d1_lib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 94acb15de6..011d7b7cbe 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -496,6 +496,9 @@ int dtls1_listen(SSL *s, struct sockaddr *client) { int ret; + /* Ensure there is no state left over from a previous invocation */ + SSL_clear(s); + SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); s->d1->listen = 1;