Verify that we have a sensible message len and fail if not

RT#3592 provides an instance where the OPENSSL_assert that this commit replaces can be hit. I was able to recreate this issue by forcing the underlying BIO to misbehave and come back with very small mtu values. This happens the second time around the while loop after we have detected that the MTU has been exceeded following the call to dtls1_write_bytes. Reviewed-by: Tim Hudson <tjh@openssl.org> (cherry picked from commit cf75017bfd60333ff65edf9840001cd2c49870a3)
author: Matt Caswell <matt@openssl.org> 2014-12-01 11:10:38 +0000
committer: Matt Caswell <matt@openssl.org> 2014-12-03 09:32:48 +0000
commit: 8454d3f924bb642665679353dee983f7d325f714 (patch)
tree: 6efddd34f04bf1ea2886789ce64c2f4c2307b9c7 /ssl/d1_both.c
parent: 5004c22c25af92358eaab4ac515686d096a0f84c (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index b58fdc2f1d..99a031c0af 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -324,12 +324,18 @@ int dtls1_do_write(SSL *s, int type)
 					len = s->init_num;
 				}
 
+			if ( len < DTLS1_HM_HEADER_LENGTH )
+				{
+				/*
+				 * len is so small that we really can't do anything sensible
+				 * so fail
+				 */
+				return -1;
+				}
 			dtls1_fix_message_header(s, frag_off, 
 				len - DTLS1_HM_HEADER_LENGTH);
 
 			dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
-
-			OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
 			}
 
 		ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],
author	Matt Caswell <matt@openssl.org>	2014-12-01 11:10:38 +0000
committer	Matt Caswell <matt@openssl.org>	2014-12-03 09:32:48 +0000
commit	8454d3f924bb642665679353dee983f7d325f714 (patch)
tree	6efddd34f04bf1ea2886789ce64c2f4c2307b9c7 /ssl/d1_both.c
parent	5004c22c25af92358eaab4ac515686d096a0f84c (diff)