Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam Langley. Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Matt Caswell <matt@openssl.org> 2014-07-24 23:54:28 +0100
committer: Matt Caswell <matt@openssl.org> 2014-08-06 22:02:00 +0100
commit: 6e14e7fc19ab8c16ec7e7cb69404b96cf591a575 (patch)
tree: d8f70d1ea13b2b8b634c9c09d8b8259c524fdb95
parent: fc15c440498f815e384f496c5913fe1db9f69a28 (diff)
download: openssl-6e14e7fc19ab8c16ec7e7cb69404b96cf591a575.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 961ac511d2..3a4819f0e9 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -657,7 +657,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
 	/* read the body of the fragment (header has already been read */
 	i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
 		frag->fragment + msg_hdr->frag_off,frag_len,0);
-	if (i<=0 || (unsigned long)i!=frag_len)
+	if ((unsigned long)i!=frag_len)
+		i=-1;
+	if (i<=0)
 		goto err;
 
 	RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
author	Matt Caswell <matt@openssl.org>	2014-07-24 23:54:28 +0100
committer	Matt Caswell <matt@openssl.org>	2014-08-06 22:02:00 +0100
commit	6e14e7fc19ab8c16ec7e7cb69404b96cf591a575 (patch)
tree	d8f70d1ea13b2b8b634c9c09d8b8259c524fdb95
parent	fc15c440498f815e384f496c5913fe1db9f69a28 (diff)
download	openssl-6e14e7fc19ab8c16ec7e7cb69404b96cf591a575.tar.gz