Fix a hang with SSL_peek()

If while calling SSL_peek() we read an empty record then we go into an infinite loop, continually trying to read data from the empty record and never making any progress. This could be exploited by a malicious peer in a Denial Of Service attack. CVE-2016-6305 GitHub Issue #1563 Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-09-10 21:24:40 +0100
committer: Matt Caswell <matt@openssl.org> 2016-09-22 09:28:07 +0100
commit: 63658103d4441924f8dbfc517b99bb54758a98b9 (patch)
tree: f20ce1722595ea6e7fae3a31b338564b1ba52096 /ssl
parent: 6d32c2ae28952b5c1d7a24968e488532fcadc51a (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index abde9d4a73..0775095b9a 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1133,7 +1133,11 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
 
             memcpy(buf, &(rr->data[rr->off]), n);
             buf += n;
-            if (!peek) {
+            if (peek) {
+                /* Mark any zero length record as consumed CVE-2016-6305 */
+                if (SSL3_RECORD_get_length(rr) == 0)
+                    SSL3_RECORD_set_read(rr);
+            } else {
                 SSL3_RECORD_sub_length(rr, n);
                 SSL3_RECORD_add_off(rr, n);
                 if (SSL3_RECORD_get_length(rr) == 0) {
author	Matt Caswell <matt@openssl.org>	2016-09-10 21:24:40 +0100
committer	Matt Caswell <matt@openssl.org>	2016-09-22 09:28:07 +0100
commit	63658103d4441924f8dbfc517b99bb54758a98b9 (patch)
tree	f20ce1722595ea6e7fae3a31b338564b1ba52096 /ssl
parent	6d32c2ae28952b5c1d7a24968e488532fcadc51a (diff)