vendor/openssl/0.9.8zc

author: Jung-uk Kim <jkim@FreeBSD.org> 2014-10-15 17:35:39 +0000
committer: Jung-uk Kim <jkim@FreeBSD.org> 2014-10-15 17:35:39 +0000
commit: f62b4332f57a140c7a64082fb139c06b1a71584c (patch)
tree: 8df07ff17fed10701bf6420470d0c11581fdf345 /ssl/s3_pkt.c
parent: 2af9154f28669943cf601ecc3c9bbbe372587787 (diff)
1 files changed, 18 insertions, 1 deletions
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index dbbee635c9344..a3b45fba9dc1a 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -229,6 +229,12 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 	return(n);
 	}
 
+/* MAX_EMPTY_RECORDS defines the number of consecutive, empty records that will
+ * be processed per call to ssl3_get_record. Without this limit an attacker
+ * could send empty records at a faster rate than we can process and cause
+ * ssl3_get_record to loop forever. */
+#define MAX_EMPTY_RECORDS 32
+
 /* Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
@@ -249,6 +255,7 @@ static int ssl3_get_record(SSL *s)
 	short version;
 	unsigned mac_size, orig_len;
 	size_t extra;
+	unsigned empty_record_count = 0;
 
 	rr= &(s->s3->rrec);
 	sess=s->session;
@@ -476,7 +483,17 @@ printf("\n");
 	s->packet_length=0;
 
 	/* just read a 0 length packet */
-	if (rr->length == 0) goto again;
+	if (rr->length == 0)
+		{
+		empty_record_count++;
+		if (empty_record_count > MAX_EMPTY_RECORDS)
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_RECORD_TOO_SMALL);
+			goto f_err;
+			}
+		goto again;
+		}
 
 	return(1);
author	Jung-uk Kim <jkim@FreeBSD.org>	2014-10-15 17:35:39 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2014-10-15 17:35:39 +0000
commit	f62b4332f57a140c7a64082fb139c06b1a71584c (patch)
tree	8df07ff17fed10701bf6420470d0c11581fdf345 /ssl/s3_pkt.c
parent	2af9154f28669943cf601ecc3c9bbbe372587787 (diff)