Don't attempt to send fragments > max_send_fragment in DTLS

We were allocating the write buffer based on the size of max_send_fragment, but ignoring it when writing data. We should fragment handshake messages if they exceed max_send_fragment and reject application data writes that are too large. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3286)
author: Matt Caswell <matt@openssl.org> 2017-04-21 14:00:20 +0100
committer: Matt Caswell <matt@openssl.org> 2017-04-25 11:13:39 +0100
commit: aefb925647175a310df73416c9c7253424a65106 (patch)
tree: 97d2879bf217a87b49a0e9c32a50e120f0e1fb72 /ssl/statem/statem_dtls.c
parent: bd79bcb42bab120575fc398692b7b61b1c5e6ed2 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 34964dbd5d..b2ba35763a 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -214,6 +214,9 @@ int dtls1_do_write(SSL *s, int type)
         else
             len = s->init_num;
 
+        if (len > s->max_send_fragment)
+            len = s->max_send_fragment;
+
         /*
          * XDTLS: this function is too long.  split out the CCS part
          */
author	Matt Caswell <matt@openssl.org>	2017-04-21 14:00:20 +0100
committer	Matt Caswell <matt@openssl.org>	2017-04-25 11:13:39 +0100
commit	aefb925647175a310df73416c9c7253424a65106 (patch)
tree	97d2879bf217a87b49a0e9c32a50e120f0e1fb72 /ssl/statem/statem_dtls.c
parent	bd79bcb42bab120575fc398692b7b61b1c5e6ed2 (diff)