Fix an Uninit read in DTLS

If we have a handshake fragment waiting then dtls1_read_bytes() was not correctly setting the value of recvd_type, leading to an uninit read. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-09-28 14:12:26 +0100
committer: Matt Caswell <matt@openssl.org> 2016-09-29 09:58:14 +0100
commit: 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 (patch)
tree: 74030b2ce8d0924918959244763f2e9287a309aa /ssl
parent: 55386bef807c7edd0f1db036c0ed464b28a61d68 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 2455c2bd12..1d16319f14 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -359,8 +359,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
     /*
      * check whether there's a handshake message (client hello?) waiting
      */
-    if ((ret = have_handshake_fragment(s, type, buf, len)))
+    if ((ret = have_handshake_fragment(s, type, buf, len))) {
+        *recvd_type = SSL3_RT_HANDSHAKE;
         return ret;
+    }
 
     /*
      * Now s->rlayer.d->handshake_fragment_len == 0 if
author	Matt Caswell <matt@openssl.org>	2016-09-28 14:12:26 +0100
committer	Matt Caswell <matt@openssl.org>	2016-09-29 09:58:14 +0100
commit	2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 (patch)
tree	74030b2ce8d0924918959244763f2e9287a309aa /ssl
parent	55386bef807c7edd0f1db036c0ed464b28a61d68 (diff)