PKG_NAME:=openssl
PKG_VERSION:=0.9.8i
-PKG_RELEASE:=3.1
+PKG_RELEASE:=3.2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.openssl.org/source/ \
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
+
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
+ DTLS1_RECORD_DATA *rdata;
+ pitem *item;
+
++ /* Limit the size of the queue to prevent DOS attacks */
++ if (pqueue_size(queue->q) >= 100)
++ return 0;
++
+ rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+ item = pitem_new(priority, rdata);
+ if (rdata == NULL || item == NULL)
+--- a/crypto/pqueue/pqueue.c
++++ b/crypto/pqueue/pqueue.c
+@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
+
+ return ret;
+ }
++
++int
++pqueue_size(pqueue_s *pq)
++{
++ pitem *item = pq->items;
++ int count = 0;
++
++ while(item != NULL)
++ {
++ count++;
++ item = item->next;
++ }
++ return count;
++}
+--- a/crypto/pqueue/pqueue.h
++++ b/crypto/pqueue/pqueue.h
+@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
+ pitem *pqueue_next(piterator *iter);
+
+ void pqueue_print(pqueue pq);
++int pqueue_size(pqueue pq);
+
+ #endif /* ! HEADER_PQUEUE_H */
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -561,7 +561,16 @@ dtls1_process_out_of_seq_message(SSL *s,
+ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+ goto err;
+
+- if (msg_hdr->seq <= s->d1->handshake_read_seq)
++ /* Try to find item in queue, to prevent duplicate entries */
++ pq_64bit_init(&seq64);
++ pq_64bit_assign_word(&seq64, msg_hdr->seq);
++ item = pqueue_find(s->d1->buffered_messages, seq64);
++ pq_64bit_free(&seq64);
++
++ /* Discard the message if sequence number was already there, is
++ * too far in the future or the fragment is already in the queue */
++ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
++ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
+ {
+ unsigned char devnull [256];
+
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -530,13 +530,14 @@ dtls1_retrieve_buffered_fragment(SSL *s,
+ frag->fragment,frag->msg_header.frag_len);
+ }
+
++ unsigned long frag_len = frag->msg_header.frag_len;
+ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+
+ if (al==0)
+ {
+ *ok = 1;
+- return frag->msg_header.frag_len;
++ return frag_len;
+ }
+
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
--- /dev/null
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387
+
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -585,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s,
+ }
+ }
+
+- frag = dtls1_hm_fragment_new(frag_len);
+- if ( frag == NULL)
+- goto err;
++ if (frag_len)
++ {
++ frag = dtls1_hm_fragment_new(frag_len);
++ if ( frag == NULL)
++ goto err;
+
+- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
++ memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
+
+- if (frag_len)
+- {
+- /* read the body of the fragment (header has already been read */
++ /* read the body of the fragment (header has already been read) */
+ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+ frag->fragment,frag_len,0);
+ if (i<=0 || (unsigned long)i!=frag_len)
+ goto err;
+- }
+
+- pq_64bit_init(&seq64);
+- pq_64bit_assign_word(&seq64, msg_hdr->seq);
++ pq_64bit_init(&seq64);
++ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+
+- item = pitem_new(seq64, frag);
+- pq_64bit_free(&seq64);
+- if ( item == NULL)
+- goto err;
++ item = pitem_new(seq64, frag);
++ pq_64bit_free(&seq64);
++ if ( item == NULL)
++ goto err;
++
++ pqueue_insert(s->d1->buffered_messages, item);
++ }
+
+- pqueue_insert(s->d1->buffered_messages, item);
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
projects / openwrt / svn-archive / archive.git / commitdiff