3
From 338a5e7e5458edf4cf754fd831a451fb4b57d180 Mon Sep 17 00:00:00 2001
4
From: Matt Caswell <matt@openssl.org>
5
Date: Fri, 6 Jun 2014 14:25:52 -0700
6
Subject: [PATCH] Fix DTLS handshake message size checks.
8
Content-Type: text/plain; charset=utf8
9
Content-Transfer-Encoding: 8bit
11
In |dtls1_reassemble_fragment|, the value of
12
|msg_hdr->frag_off+frag_len| was being checked against the maximum
13
handshake message size, but then |msg_len| bytes were allocated for the
14
fragment buffer. This means that so long as the fragment was within the
15
allowed size, the pending handshake message could consume 16MB + 2MB
16
(for the reassembly bitmap). Approx 10 outstanding handshake messages
17
are allowed, meaning that an attacker could consume ~180MB per DTLS
20
In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
25
Wholly based on patch by Adam Langley with one minor amendment.
27
Reviewed-by: Emilia Käsper <emilia@openssl.org>
29
ssl/d1_both.c | 29 ++++++++++++++++-------------
30
1 file changed, 16 insertions(+), 13 deletions(-)
32
Index: openssl-0.9.8k/ssl/d1_both.c
33
===================================================================
34
--- openssl-0.9.8k.orig/ssl/d1_both.c 2014-08-07 08:25:55.302851514 -0400
35
+++ openssl-0.9.8k/ssl/d1_both.c 2014-08-07 08:30:16.646858512 -0400
40
+/* dtls1_max_handshake_message_len returns the maximum number of bytes
41
+ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
42
+ * be greater if the maximum certificate list size requires it. */
43
+static unsigned long dtls1_max_handshake_message_len(const SSL *s)
45
+ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
46
+ if (max_len < (unsigned long)s->max_cert_list)
47
+ return s->max_cert_list;
52
dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
57
+ if (frag_len > dtls1_max_handshake_message_len(s))
60
frag = dtls1_hm_fragment_new(frag_len);