- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 (DTLS DoS problems)
(#501253, #501254, #501572)
This commit is contained in:
Tomáš Mráz
parent
7723dd9040
commit
387d98c6e7
|
|
@ -0,0 +1,83 @@
|
|||
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.c
|
||||
--- openssl-0.9.8k/crypto/pqueue/pqueue.c.dtls-dos 2005-06-28 14:53:33.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/pqueue/pqueue.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
|
||||
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+pqueue_size(pqueue_s *pq)
|
||||
+{
|
||||
+ pitem *item = pq->items;
|
||||
+ int count = 0;
|
||||
+
|
||||
+ while(item != NULL)
|
||||
+ {
|
||||
+ count++;
|
||||
+ item = item->next;
|
||||
+ }
|
||||
+ return count;
|
||||
+}
|
||||
diff -up openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos openssl-0.9.8k/crypto/pqueue/pqueue.h
|
||||
--- openssl-0.9.8k/crypto/pqueue/pqueue.h.dtls-dos 2009-04-21 11:43:58.000000000 +0200
|
||||
+++ openssl-0.9.8k/crypto/pqueue/pqueue.h 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
|
||||
pitem *pqueue_next(piterator *iter);
|
||||
|
||||
void pqueue_print(pqueue pq);
|
||||
+int pqueue_size(pqueue pq);
|
||||
|
||||
#endif /* ! HEADER_PQUEUE_H */
|
||||
diff -up openssl-0.9.8k/ssl/d1_both.c.dtls-dos openssl-0.9.8k/ssl/d1_both.c
|
||||
--- openssl-0.9.8k/ssl/d1_both.c.dtls-dos 2007-10-17 23:17:49.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/d1_both.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -519,6 +519,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
|
||||
if ( s->d1->handshake_read_seq == frag->msg_header.seq)
|
||||
{
|
||||
+ unsigned long frag_len = frag->msg_header.frag_len;
|
||||
pqueue_pop(s->d1->buffered_messages);
|
||||
|
||||
al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
|
||||
@@ -536,7 +537,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
|
||||
if (al==0)
|
||||
{
|
||||
*ok = 1;
|
||||
- return frag->msg_header.frag_len;
|
||||
+ return frag_len;
|
||||
}
|
||||
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
@@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s,
|
||||
if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
|
||||
goto err;
|
||||
|
||||
- if (msg_hdr->seq <= s->d1->handshake_read_seq)
|
||||
+ /* Try to find item in queue, to prevent duplicate entries */
|
||||
+ pq_64bit_init(&seq64);
|
||||
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
|
||||
+ item = pqueue_find(s->d1->buffered_messages, seq64);
|
||||
+ pq_64bit_free(&seq64);
|
||||
+
|
||||
+ /* Discard the message if sequence number was already there, is
|
||||
+ * too far in the future or the fragment is already in the queue */
|
||||
+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
|
||||
+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
|
||||
{
|
||||
unsigned char devnull [256];
|
||||
|
||||
diff -up openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos openssl-0.9.8k/ssl/d1_pkt.c
|
||||
--- openssl-0.9.8k/ssl/d1_pkt.c.dtls-dos 2009-04-21 11:44:02.000000000 +0200
|
||||
+++ openssl-0.9.8k/ssl/d1_pkt.c 2009-05-21 18:26:29.000000000 +0200
|
||||
@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
|
||||
DTLS1_RECORD_DATA *rdata;
|
||||
pitem *item;
|
||||
|
||||
+ /* Limit the size of the queue to prevent DOS attacks */
|
||||
+ if (pqueue_size(queue->q) >= 100)
|
||||
+ return 0;
|
||||
+
|
||||
rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
|
||||
item = pitem_new(priority, rdata);
|
||||
if (rdata == NULL || item == NULL)
|
||||
|
|
@ -23,7 +23,7 @@
|
|||
Summary: A general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 0.9.8k
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
# We remove certain patented algorithms from the openssl source tarball
|
||||
# with the hobble-openssl script which is included below.
|
||||
Source: openssl-%{version}-usa.tar.bz2
|
||||
|
|
@ -66,6 +66,7 @@ Patch49: openssl-0.9.8j-fips-no-pairwise.patch
|
|||
Patch50: openssl-0.9.8j-fips-rng-seed.patch
|
||||
Patch51: openssl-0.9.8k-multi-crl.patch
|
||||
Patch52: openssl-0.9.8k-dtls-compat.patch
|
||||
Patch53: openssl-0.9.8k-dtls-dos.patch
|
||||
# Backported fixes including security fixes
|
||||
|
||||
License: OpenSSL
|
||||
|
|
@ -152,6 +153,7 @@ from other formats to the formats used by the OpenSSL toolkit.
|
|||
%patch50 -p1 -b .rng-seed
|
||||
%patch51 -p1 -b .multi-crl
|
||||
%patch52 -p1 -b .dtls-compat
|
||||
%patch53 -p1 -b .dtls-dos
|
||||
|
||||
# Modify the various perl scripts to reference perl in the right location.
|
||||
perl util/perlpath.pl `dirname %{__perl}`
|
||||
|
|
@ -410,6 +412,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5
|
||||
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
|
||||
(DTLS DoS problems) (#501253, #501254, #501572)
|
||||
|
||||
* Tue Apr 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-4
|
||||
- support compatibility DTLS mode for CISCO AnyConnect (#464629)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue